[Devel] [PATCH] scripts: add "-w" to iptables command

Kirill Tkhai ktkhai at virtuozzo.com
Thu Sep 28 13:55:19 MSK 2017 

Could you please to say will it work on old iptables?

On 28.09.2017 13:03, Stanislav Kinsburskiy wrote:
> What a brilliant idea it was to ignore unknown keys.
> Should take it into account.
> 
> 28.09.2017 10:26, Vasily Averin пишет:
>> kthai@ explained that old version of iptables ignores unknown keys, so adding -w is safe.
>>
>> On 2017-09-28 10:40, Pavel Tikhomirov wrote:
>>> Can we have these script running with older iptables version which does not have "-w"?
>>>
>>> On 09/27/2017 02:11 PM, Stanislav Kinsburskiy wrote:
>>>> Neede to support new versions of iptables.
>>>>
>>>> https://jira.sw.ru/browse/PSBM-73153
>>>>
>>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
>>>> ---
>>>>   scripts/nfs-ports-allow.sh |   16 ++++++++--------
>>>>   1 file changed, 8 insertions(+), 8 deletions(-)
>>>>
>>>> diff --git a/scripts/nfs-ports-allow.sh b/scripts/nfs-ports-allow.sh
>>>> index 97541dc..ac5cf5f 100644
>>>> --- a/scripts/nfs-ports-allow.sh
>>>> +++ b/scripts/nfs-ports-allow.sh
>>>> @@ -36,10 +36,10 @@ function add_accept_rules {
>>>>       local server=$1
>>>>       local port=$2
>>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT
>>>>   }
>>>>     function iptables_allow_nfs_ports {
>>>> @@ -63,10 +63,10 @@ function allow_portmapper_port {
>>>>       local server=$1
>>>>       local port=111
>>>>   -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>> -    ${JOIN_CT} ${IPTABLES} -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -s $server --sport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p udp -d $server --dport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -s $server --sport $port -j ACCEPT &&
>>>> +    ${JOIN_CT} ${IPTABLES} -w -I ${CRTOOLS_IPTABLES_TABLE} -p tcp -d $server --dport $port -j ACCEPT
>>>>   }
>>>>     for s in $servers; do
>>>>
>>>> _______________________________________________
>>>> Devel mailing list
>>>> Devel at openvz.org
>>>> https://lists.openvz.org/mailman/listinfo/devel
>>>>
>>>
>> _______________________________________________
>> Devel mailing list
>> Devel at openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>

More information about the Devel mailing list