conntrack: T3579: bugfix when deleting non existent iptable rules

We only delete iptables rules if they really exist - if we try to delete a non-
existing rule a PermissionError exception is thrown.

We could either ignore the error code (that is what the old Vyatta code did),
or we check what we are doing beforehand.

1 files changed, 4 insertions, 4 deletions

diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index 9693de493..68877f794 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -105,7 +105,9 @@ def apply(conntrack):
                         cmd(f'rmmod {mod}')
             if 'iptables' in module_config:
                 for rule in module_config['iptables']:
-                    cmd(f'iptables --delete {rule}')
+                    # Only install iptables rule if it does not exist
+                    tmp = run(f'iptables --check {rule}')
+                    if tmp == 0: cmd(f'iptables --delete {rule}')
         else:
             if 'ko' in module_config:
                 for mod in module_config['ko']:
@@ -114,9 +116,7 @@ def apply(conntrack):
                 for rule in module_config['iptables']:
                     # Only install iptables rule if it does not exist
                     tmp = run(f'iptables --check {rule}')
-                    if tmp > 0:
-                        cmd(f'iptables --insert {rule}')
-
+                    if tmp > 0: cmd(f'iptables --insert {rule}')
 
     if process_named_running('conntrackd'):
         # Reload conntrack-sync daemon to fetch new sysctl values