Add --wait to iptables calls
This change updates the calls that we us in the ocf scripts to determine if the rules are present to include the -w flag to prevent the scripts from failing if another iptables call is currently running. It has been reported that this can occur when the ocf scripts are running in parallel to the puppet deployment (firewall task) Change-Id: Ia603f5643720a5fa5407de36ca75830a7c3f57fa Closes-Bug: #1605540
This commit is contained in:
parent
40088d3ddf
commit
8fffe24cb0
|
@ -337,10 +337,10 @@ set_ns_routing() {
|
|||
fi
|
||||
|
||||
# set masquerade on host node
|
||||
iptables -n -t nat -L | grep -q masquerade-for-haproxy-namespace
|
||||
iptables -n --wait -t nat -L | grep -q masquerade-for-haproxy-namespace
|
||||
if [ $? -gt 0 ]; then
|
||||
ocf_log debug "Creating NAT rule on the host system for traffic from IP: ${OCF_RESKEY_namespace_ip}"
|
||||
ocf_run iptables -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-haproxy-namespace"
|
||||
ocf_run iptables --wait -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-haproxy-namespace"
|
||||
fi
|
||||
|
||||
### Needed for ML2 routing ###
|
||||
|
|
|
@ -256,10 +256,10 @@ set_ns_routing() {
|
|||
fi
|
||||
|
||||
# set masquerade on host node
|
||||
iptables -n -t nat -L | grep -q masquerade-for-vrouter-namespace
|
||||
iptables -n --wait -t nat -L | grep -q masquerade-for-vrouter-namespace
|
||||
if [ $? -gt 0 ]; then
|
||||
ocf_log debug "Creating NAT rule on the host system for traffic from IP: ${OCF_RESKEY_namespace_ip}"
|
||||
ocf_run iptables -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-vrouter-namespace"
|
||||
ocf_run iptables --wait -t nat -A POSTROUTING -s "${OCF_RESKEY_namespace_ip}" -j MASQUERADE -m comment --comment "masquerade-for-vrouter-namespace"
|
||||
fi
|
||||
|
||||
### Needed for ML2 routing ###
|
||||
|
|
|
@ -691,9 +691,9 @@ block_client_access()
|
|||
# do not add temporary RMQ blocking rule, if it is already exist
|
||||
# otherwise, try to add a blocking rule with max of 5 retries
|
||||
local tries=5
|
||||
until $(iptables -nvL | grep -q 'temporary RMQ block') || [ $tries -eq 0 ]; do
|
||||
until $(iptables -nvL --wait | grep -q 'temporary RMQ block') || [ $tries -eq 0 ]; do
|
||||
tries=$((tries-1))
|
||||
iptables -I INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \
|
||||
iptables --wait -I INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \
|
||||
-m comment --comment 'temporary RMQ block' -j REJECT --reject-with tcp-reset
|
||||
sleep 1
|
||||
done
|
||||
|
@ -707,8 +707,8 @@ block_client_access()
|
|||
unblock_client_access()
|
||||
{
|
||||
# remove all temporary RMQ blocking rules, if there are more than one exist
|
||||
for i in $(iptables -nvL --line-numbers | awk '/temporary RMQ block/ {print $1}'); do
|
||||
iptables -D INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \
|
||||
for i in $(iptables -nvL --wait --line-numbers | awk '/temporary RMQ block/ {print $1}'); do
|
||||
iptables --wait -D INPUT -p tcp -m tcp --dport ${OCF_RESKEY_node_port} -m state --state NEW,RELATED,ESTABLISHED \
|
||||
-m comment --comment 'temporary RMQ block' -j REJECT --reject-with tcp-reset
|
||||
done
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue