diff options
| author | Boris Kolpackov <boris@codesynthesis.com> | 2017-08-13 14:28:04 +0200 |
|---|---|---|
| committer | Boris Kolpackov <boris@codesynthesis.com> | 2017-08-14 12:10:04 +0200 |
| commit | 6e38485dd8d43abbce0bf8d01755681b9171952d (patch) | |
| tree | 760e86a126cd0c79015003fd82b7f919c97c4321 | |
| parent | b56d55e6fb8e149344fd426c44ec136a4ca00315 (diff) | |
Reorder options in iptables commands
It seems to matter when trying to delete rules.
| -rw-r--r-- | bbot/agent/machine.cxx | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/bbot/agent/machine.cxx b/bbot/agent/machine.cxx index 9502021..0d1bda1 100644 --- a/bbot/agent/machine.cxx +++ b/bbot/agent/machine.cxx @@ -42,16 +42,19 @@ namespace bbot process_exit::code_type e; + // It seems the order of options is significant when it comes to deleting + // the entries (this order is as printed by iptables -S). + // e = run_io_exit (t, 0, ofd, ofd, "sudo", "iptables", "-t", "nat", a, "PREROUTING", - "-m", "udp", + "-i", br, "-p", "udp", + "-m", "udp", + "--dport", 69, "-m", "physdev", - "-i", br, "--physdev-in", tap, - "--dport", 69, "-j", "DNAT", "--to-destination", addr + ':' + to_string (port)); @@ -63,13 +66,13 @@ namespace bbot e = run_io_exit (t, 0, ofd, ofd, "sudo", "iptables", a, "FORWARD", - "-m", "udp", + "-d", addr, + "-o", br, "-p", "udp", + "-m", "udp", + "--dport", port, "-m", "physdev", - "-o", br, "--physdev-out", tap, - "-d", addr, - "--dport", port, "-m", "state", "--state", "NEW,ESTABLISHED,RELATED", "-j", "ACCEPT"); @@ -129,8 +132,8 @@ namespace bbot void destroy () { - destroy_tap (iface, bridge, port); - iface.clear (); + string i (move (iface)); // No need trying again if below fails. + destroy_tap (i, bridge, port); } }; |