From e64d4bd05b77ced7dd68939f3afd193527fb8785 Mon Sep 17 00:00:00 2001 From: Gerard Ryan Date: Sat, 20 Feb 2021 19:31:55 +1000 Subject: [PATCH] dockerd: Added iptables wait to ensure rules are added Signed-off-by: Gerard Ryan --- utils/dockerd/files/dockerd.init | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/utils/dockerd/files/dockerd.init b/utils/dockerd/files/dockerd.init index 1ad2b62ea..25ce4eff9 100755 --- a/utils/dockerd/files/dockerd.init +++ b/utils/dockerd/files/dockerd.init @@ -206,11 +206,14 @@ iptables_add_blocking_rule() { return } + # Wait for a maximum of 10 second per command, retrying every millisecond + local iptables_wait_args="--wait 10 --wait-interval 1000" + # Ignore errors as it might already be present - iptables --table filter --new DOCKER-USER 2>/dev/null - if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT 2>/dev/null; then + iptables ${iptables_wait_args} --table filter --new DOCKER-USER 2>/dev/null + if ! iptables ${iptables_wait_args} --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT 2>/dev/null; then logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}" - iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT + iptables ${iptables_wait_args} --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT fi }