fix iptables conflict

files/bridge-post-scripts/post-up.sh.j2

@@ -52,7 +52,7 @@ handle_gateway {{gateway.id}} {{gateway.address}} {% if gateway.mac is defined a
 {% if br.masq is defined and br.masq %}
 # Masquerade
 ensure_localnet_ipset
-iptables -t nat -A POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -m set ! --match-set localnet dst -j MASQUERADE
+iptables -w -t nat -A POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -m set ! --match-set localnet dst -j MASQUERADE
 {% endif %}
 
 {% if br.dhcpv6Client is defined and br.dhcpv6Client %}

files/bridge-post-scripts/pre-down.sh.j2

@@ -39,9 +39,9 @@ handle_gateway {{gateway.id}} {{gateway.address}} {% if gateway.mac is defined a
 
 {% if br.masq is defined and br.masq %}
 # Masquerade
-iptables -t nat -D POSTROUTING -o "$BRIDGE_NAME" -j MASQUERADE
-iptables -t nat -D POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -j MASQUERADE
-iptables -t nat -D POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -m set ! --match-set localnet dst -j MASQUERADE
+iptables -w -t nat -D POSTROUTING -o "$BRIDGE_NAME" -j MASQUERADE
+iptables -w -t nat -D POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -j MASQUERADE
+iptables -w -t nat -D POSTROUTING -o "$BRIDGE_NAME" -m set --match-set localnet src -m set ! --match-set localnet dst -j MASQUERADE
 {% endif %}
 
 {% if br.down is defined and br.down %}

files/ppp-post-scripts/postdown.sh.j2

@@ -4,24 +4,24 @@ source {{ansible_user_dir}}/nextgen-router/scripts/utility.sh
 PPPOE_NEXT_HOP_MARK=$[1000 + $(echo "$PPP_IFACE" | sed "s/ppp//g")]
 PPPOE_SELECTION_MARK=$((PPPOE_NEXT_HOP_MARK + 50))
 
-iptables-save | grep -- '-j TCPMSS' | grep -- "$PPP_IFACE" | sed 's/^-A/-D/g' | xargs -I '{}' bash -c 'iptables -t mangle {}'
+iptables-save | grep -- '-j TCPMSS' | grep -- "$PPP_IFACE" | sed 's/^-A/-D/g' | xargs -I '{}' bash -c 'iptables -w -t mangle {}'
 ip6tables-save | grep -- '-j TCPMSS' | grep -- "$PPP_IFACE" | sed 's/^-A/-D/g' | xargs -I '{}' bash -c 'ip6tables -t mangle {}'
 
 {% if gdut is defined and gdut %}
 
 # Rules for GDUT
 
-iptables -t mangle -D POSTROUTING -o "$PPP_IFACE" -j TTL --ttl-set 64
-iptables -t mangle -D OUTPUT -o "$PPP_IFACE" -j TTL --ttl-set 64
-iptables -t mangle -D FORWARD -o "$PPP_IFACE" -j TTL --ttl-set 64
+iptables -w -t mangle -D POSTROUTING -o "$PPP_IFACE" -j TTL --ttl-set 64
+iptables -w -t mangle -D OUTPUT -o "$PPP_IFACE" -j TTL --ttl-set 64
+iptables -w -t mangle -D FORWARD -o "$PPP_IFACE" -j TTL --ttl-set 64
 
-iptables -D FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
-iptables -D FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
+iptables -w -D FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
+iptables -w -D FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
 ip6tables -D FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
 ip6tables -D FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
 {% endif %}
 
-iptables -t nat -o "$PPP_IFACE" -D POSTROUTING -j MASQUERADE
+iptables -w -t nat -o "$PPP_IFACE" -D POSTROUTING -j MASQUERADE
 
 ip rule del pref 100 fwmark $PPPOE_NEXT_HOP_MARK lookup $PPPOE_NEXT_HOP_MARK
 ip rule del pref 400 fwmark $PPPOE_SELECTION_MARK lookup $PPPOE_NEXT_HOP_MARK

files/ppp-post-scripts/postup.sh.j2

@@ -9,12 +9,12 @@ INTERFACE_MTU=$(ip link show dev "$PPP_IFACE" | grep -oP 'mtu \d+' | cut -c 5-)
 INTERFACE_MTU_4=$((INTERFACE_MTU - 40))
 INTERFACE_MTU_6=$((INTERFACE_MTU - 60))
 
-iptables -t mangle -A FORWARD -o "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_4:1460 -j TCPMSS --set-mss $INTERFACE_MTU_4
-iptables -t mangle -A FORWARD -i "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_4:1460 -j TCPMSS --set-mss $INTERFACE_MTU_4
+iptables -w -t mangle -A FORWARD -o "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_4:1460 -j TCPMSS --set-mss $INTERFACE_MTU_4
+iptables -w -t mangle -A FORWARD -i "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_4:1460 -j TCPMSS --set-mss $INTERFACE_MTU_4
 ip6tables -t mangle -A FORWARD -o "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_6:1460 -j TCPMSS --set-mss $INTERFACE_MTU_6
 ip6tables -t mangle -A FORWARD -i "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $INTERFACE_MTU_6:1460 -j TCPMSS --set-mss $INTERFACE_MTU_6
 
-iptables -t nat -o "$PPP_IFACE" -A POSTROUTING -j MASQUERADE
+iptables -w -t nat -o "$PPP_IFACE" -A POSTROUTING -j MASQUERADE
 
 ip route replace default dev "$PPP_IFACE" table $PPPOE_NEXT_HOP_MARK
 ip route add default dev "$PPP_IFACE" metric $PPPOE_NEXT_HOP_MARK
@@ -39,12 +39,12 @@ fi
 
 # Rules for GDUT
 
-iptables -t mangle -A POSTROUTING -o "$PPP_IFACE" -j TTL --ttl-set 64
-iptables -t mangle -A OUTPUT -o "$PPP_IFACE" -j TTL --ttl-set 64
-iptables -t mangle -A FORWARD -o "$PPP_IFACE" -j TTL --ttl-set 64
+iptables -w -t mangle -A POSTROUTING -o "$PPP_IFACE" -j TTL --ttl-set 64
+iptables -w -t mangle -A OUTPUT -o "$PPP_IFACE" -j TTL --ttl-set 64
+iptables -w -t mangle -A FORWARD -o "$PPP_IFACE" -j TTL --ttl-set 64
 
-iptables -A FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
-iptables -A FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
+iptables -w -A FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
+iptables -w -A FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
 ip6tables -A FORWARD -p tcp -i "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
 ip6tables -A FORWARD -p tcp -o "$PPP_IFACE" -m multiport --sports 80 --tcp-flags ACK ACK -m string --algo bm --string " src=\"http://1.1.1." -j DROP
 {% endif %}

files/utility.sh.j2

@@ -10,8 +10,8 @@ restore_mark() {
   if [[ "$OUTPUT_OPTION" == "-I" ]]; then
     OUTPUT_OPTION="-A"
   fi
-  iptables -t mangle "$OPTION" PREROUTING -m connmark --mark "$MARK" -j CONNMARK --restore-mark
-  iptables -t mangle "$OUTPUT_OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
+  iptables -w -t mangle "$OPTION" PREROUTING -m connmark --mark "$MARK" -j CONNMARK --restore-mark
+  iptables -w -t mangle "$OUTPUT_OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
   # ip6tables -t mangle "$OPTION" PREROUTING -m connmark --mark "$MARK" -j CONNMARK --restore-mark
   # ip6tables -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
 }
@@ -22,7 +22,7 @@ ppp_origin() {
   INTERFACE=$2
   MARK=$[1000 + $(echo "$INTERFACE" | sed "s/ppp//g")]
   restore_mark "$OPTION" "$MARK"
-  iptables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$INTERFACE" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
+  iptables -w -t mangle "$OPTION" PREROUTING ! -p ospf -i "$INTERFACE" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
   # ip6tables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$INTERFACE" -j CONNMARK --set-xmark "$MARK"
 }
 
@@ -40,7 +40,7 @@ eth_origin() {
     GATEWAY_MAC=$(echo $NEIGH_LINE | awk '{print $5}')
   fi
   restore_mark "$OPTION" "$MARK"
-  iptables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$BRIDGE_NAME" -m mac --mac-source "$GATEWAY_MAC" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
+  iptables -w -t mangle "$OPTION" PREROUTING ! -p ospf -i "$BRIDGE_NAME" -m mac --mac-source "$GATEWAY_MAC" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
   # ip6tables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$BRIDGE_NAME" -m mac --mac-source "$GATEWAY_MAC" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
 }