iptables: serialize startup service units

Since iptables-1.8.x the tool complains at run-time if a second instance
holds the shared lock:

   Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

If IPv4 and IPv6 is enabled, this concurrent situation can happen and at
the end one of both setups isn't done (first instance wins).

By serializing both service units this concurrent situation cannot occur
and both setups are done as expected.

Signed-off-by: Juergen Borleis <jbe@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>

2 files changed, 4 insertions, 0 deletions

diff --git a/projectroot/usr/lib/systemd/system/ip6tables.service b/projectroot/usr/lib/systemd/system/ip6tables.service
index e842cc197..7cf9ab88b 100644
--- a/projectroot/usr/lib/systemd/system/ip6tables.service
+++ b/projectroot/usr/lib/systemd/system/ip6tables.service
@@ -3,6 +3,8 @@ Description=Packet Filtering Framework
 DefaultDependencies=no
 After=systemd-sysctl.service
 Before=sysinit.target
+# ensure, we are running after IPv4
+After=iptables.service
 ConditionFileNotEmpty=/etc/iptables/rules.v6
 [Service]
 Type=oneshot
diff --git a/projectroot/usr/lib/systemd/system/iptables.service b/projectroot/usr/lib/systemd/system/iptables.service
index fa4a8b367..29999628e 100644
--- a/projectroot/usr/lib/systemd/system/iptables.service
+++ b/projectroot/usr/lib/systemd/system/iptables.service
@@ -3,6 +3,8 @@ Description=Packet Filtering Framework
 DefaultDependencies=no
 After=systemd-sysctl.service
 Before=sysinit.target
+# ensure, we are running before IPv6
+Before=ip6tables.service
 ConditionFileNotEmpty=/etc/iptables/rules.v4
 [Service]
 Type=oneshot