From 6e38485dd8d43abbce0bf8d01755681b9171952d Mon Sep 17 00:00:00 2001
From: Boris Kolpackov <boris@codesynthesis.com>
Date: Sun, 13 Aug 2017 14:28:04 +0200
Subject: Reorder options in iptables commands

It seems to matter when trying to delete rules.
---
 bbot/agent/machine.cxx | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/bbot/agent/machine.cxx b/bbot/agent/machine.cxx
index 9502021..0d1bda1 100644
--- a/bbot/agent/machine.cxx
+++ b/bbot/agent/machine.cxx
@@ -42,16 +42,19 @@ namespace bbot
 
     process_exit::code_type e;
 
+    // It seems the order of options is significant when it comes to deleting
+    // the entries (this order is as printed by iptables -S).
+    //
     e = run_io_exit (t, 0, ofd, ofd,
                      "sudo",             "iptables",
                      "-t",               "nat",
                      a,                  "PREROUTING",
-                     "-m",               "udp",
+                     "-i",               br,
                      "-p",               "udp",
+                     "-m",               "udp",
+                     "--dport",          69,
                      "-m",               "physdev",
-                     "-i",               br,
                      "--physdev-in",     tap,
-                     "--dport",          69,
                      "-j",               "DNAT",
                      "--to-destination", addr + ':' + to_string (port));
 
@@ -63,13 +66,13 @@ namespace bbot
     e = run_io_exit (t, 0, ofd, ofd,
                      "sudo",             "iptables",
                      a,                  "FORWARD",
-                     "-m",               "udp",
+                     "-d",               addr,
+                     "-o",               br,
                      "-p",               "udp",
+                     "-m",               "udp",
+                     "--dport",          port,
                      "-m",               "physdev",
-                     "-o",               br,
                      "--physdev-out",    tap,
-                     "-d",               addr,
-                     "--dport",          port,
                      "-m",               "state",
                      "--state",          "NEW,ESTABLISHED,RELATED",
                      "-j",               "ACCEPT");
@@ -129,8 +132,8 @@ namespace bbot
     void
     destroy ()
     {
-      destroy_tap (iface, bridge, port);
-      iface.clear ();
+      string i (move (iface)); // No need trying again if below fails.
+      destroy_tap (i, bridge, port);
     }
   };
 
-- 
cgit v1.1