When two instances of the iptables command are ran simultaneously they often encounter a race condition resulting in one of the commands not being executed. mutex_lock/unlock stops two instances of apf from colliding, but external programs that call iptables directly may result in apf not adding the necessary rules.
In 1.4.20, iptables added native support for locking, as well as a wait timeout flag:
When two instances of the
iptablescommand are ran simultaneously they often encounter a race condition resulting in one of the commands not being executed. mutex_lock/unlock stops two instances ofapffrom colliding, but external programs that calliptablesdirectly may result inapfnot adding the necessary rules.In 1.4.20, iptables added native support for locking, as well as a wait timeout flag:
http://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8 http://git.netfilter.org/iptables/commit/?id=d7aeda5ed45ac7ca959f12180690caa371b5b14b
This PR adds the flag with a default timeout of 3 seconds when iptables is >= 1.4.20.