firewall.py: iptables: failure to delete a rule isn't always fatal.

If the previous run of sshuttle didn't manage to clean up after itself, it might have left the sshuttle-12300 chain intact, but the OUTPUT chain might not refer to it anymore. That would cause the *next* run of sshuttle to barf when trying to delete the OUTPUT entry, and then never get to the part where it just tries to delete the old chain so it can continue. Now only the last delete command (the one that actually deletes the chain) is fatal if it fails; the others just print a scary message, but that should only happen once in your life if you're unlucky.
2025-01-20 21:08:42 +01:00 · 2011-02-21 03:04:00 -08:00 · 2011-02-21 03:04:00 -08:00 · 6ef9ae1796
commit 6ef9ae1796
parent 1ca8aa5b89
1 changed files with 10 additions and 3 deletions
--- a/firewall.py
+++ b/firewall.py
@ -7,6 +7,13 @@ from helpers import *
 IPPROTO_DIVERT = 254


+def nonfatal(func, *args):
+    try:
+        func(*args)
+    except Fatal, e:
+        log('error: %s\n' % e)
+
+
 def ipt_chain_exists(name):
    argv = ['iptables', '-t', 'nat', '-nL']
    p = ssubprocess.Popen(argv, stdout = ssubprocess.PIPE)
@ -57,9 +64,9 @@ def do_iptables(port, dnsport, subnets):

    # basic cleanup/setup of chains
    if ipt_chain_exists(chain):
-        ipt('-D', 'OUTPUT', '-j', chain)
-        ipt('-D', 'PREROUTING', '-j', chain)
-        ipt('-F', chain)
+        nonfatal(ipt, '-D', 'OUTPUT', '-j', chain)
+        nonfatal(ipt, '-D', 'PREROUTING', '-j', chain)
+        nonfatal(ipt, '-F', chain)
        ipt('-X', chain)

    if subnets or dnsport: