diff options
author | Avery Pennarun <apenwarr@gmail.com> | 2011-02-21 03:04:00 -0800 |
---|---|---|
committer | Avery Pennarun <apenwarr@gmail.com> | 2011-02-21 03:04:00 -0800 |
commit | 6ef9ae1796659630e2d35082d83ab766c443751a (patch) | |
tree | d14505a800d04736de3de5f015299faa3d8ffef4 | |
parent | 1ca8aa5b891d01181a5d6a814631f6cf2cd08603 (diff) |
firewall.py: iptables: failure to delete a rule isn't always fatal.
If the previous run of sshuttle didn't manage to clean up after itself, it
might have left the sshuttle-12300 chain intact, but the OUTPUT chain might
not refer to it anymore. That would cause the *next* run of sshuttle to
barf when trying to delete the OUTPUT entry, and then never get to the part
where it just tries to delete the old chain so it can continue.
Now only the last delete command (the one that actually deletes the chain)
is fatal if it fails; the others just print a scary message, but that should
only happen once in your life if you're unlucky.
-rw-r--r-- | firewall.py | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/firewall.py b/firewall.py index 7767d43..4307bb0 100644 --- a/firewall.py +++ b/firewall.py @@ -7,6 +7,13 @@ from helpers import * IPPROTO_DIVERT = 254 +def nonfatal(func, *args): + try: + func(*args) + except Fatal, e: + log('error: %s\n' % e) + + def ipt_chain_exists(name): argv = ['iptables', '-t', 'nat', '-nL'] p = ssubprocess.Popen(argv, stdout = ssubprocess.PIPE) @@ -57,9 +64,9 @@ def do_iptables(port, dnsport, subnets): # basic cleanup/setup of chains if ipt_chain_exists(chain): - ipt('-D', 'OUTPUT', '-j', chain) - ipt('-D', 'PREROUTING', '-j', chain) - ipt('-F', chain) + nonfatal(ipt, '-D', 'OUTPUT', '-j', chain) + nonfatal(ipt, '-D', 'PREROUTING', '-j', chain) + nonfatal(ipt, '-F', chain) ipt('-X', chain) if subnets or dnsport: |