From 017408e048ae2419baf0adba424b51d85b063a30 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Fri, 11 Apr 2014 16:29:45 +0200
Subject: [PATCH] =?UTF-8?q?Use=20iptables'=20=E2=80=98-w=E2=80=99=20flag?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This prevents errors like "Another app is currently holding the
xtables lock" if the firewall and NAT services are starting in
parallel.  (Longer term, we should probably move to a single service
for managing the iptables rules.)
---
 nixos/modules/services/networking/firewall.nix |  6 +++---
 nixos/modules/services/networking/nat.nix      | 18 +++++++++---------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
index 62d92ba50e18..a1ca5dcdcb19 100644
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@@ -32,9 +32,9 @@ let
     ''
       # Helper command to manipulate both the IPv4 and IPv6 tables.
       ip46tables() {
-        iptables "$@"
+        iptables -w "$@"
         ${optionalString config.networking.enableIPv6 ''
-          ip6tables "$@"
+          ip6tables -w "$@"
         ''}
       }
     '';
@@ -386,7 +386,7 @@ in
 
             # Optionally respond to ICMPv4 pings.
             ${optionalString cfg.allowPing ''
-              iptables -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)
+              iptables -w -A nixos-fw -p icmp --icmp-type echo-request ${optionalString (cfg.pingLimit != null)
                 "-m limit ${cfg.pingLimit} "
               }-j nixos-fw-accept
             ''}
diff --git a/nixos/modules/services/networking/nat.nix b/nixos/modules/services/networking/nat.nix
index 3d3899a5c41a..7f4094de12f1 100644
--- a/nixos/modules/services/networking/nat.nix
+++ b/nixos/modules/services/networking/nat.nix
@@ -95,26 +95,26 @@ in
 
         preStart =
           ''
-            iptables -t nat -F PREROUTING
-            iptables -t nat -F POSTROUTING
-            iptables -t nat -X
+            iptables -w -t nat -F PREROUTING
+            iptables -w -t nat -F POSTROUTING
+            iptables -w -t nat -X
 
             # We can't match on incoming interface in POSTROUTING, so
             # mark packets coming from the external interfaces.
             ${concatMapStrings (iface: ''
-              iptables -t nat -A PREROUTING \
+              iptables -w -t nat -A PREROUTING \
                 -i '${iface}' -j MARK --set-mark 1
             '') cfg.internalInterfaces}
 
             # NAT the marked packets.
             ${optionalString (cfg.internalInterfaces != []) ''
-              iptables -t nat -A POSTROUTING -m mark --mark 1 \
+              iptables -w -t nat -A POSTROUTING -m mark --mark 1 \
                 -o ${cfg.externalInterface} ${dest}
             ''}
 
             # NAT packets coming from the internal IPs.
             ${concatMapStrings (range: ''
-              iptables -t nat -A POSTROUTING \
+              iptables -w -t nat -A POSTROUTING \
                 -s '${range}' -o ${cfg.externalInterface} ${dest}
             '') cfg.internalIPs}
 
@@ -123,9 +123,9 @@ in
 
         postStop =
           ''
-            iptables -t nat -F PREROUTING
-            iptables -t nat -F POSTROUTING
-            iptables -t nat -X
+            iptables -w -t nat -F PREROUTING
+            iptables -w -t nat -F POSTROUTING
+            iptables -w -t nat -X
           '';
       };
   };