From cbb15ab4921045abe0c36de112e719108eb9b294 Mon Sep 17 00:00:00 2001
From: "William A. Kennington III" <wak@google.com>
Date: Fri, 12 Mar 2021 18:19:01 -0800
Subject: meta-google: nftables-systemd: Flush at start

We don't want errors in loading previous rules to affect the state of the
ruleset during restart.

Change-Id: Ic122e971670d56022029f1155c1accdf129672d0
Signed-off-by: William A. Kennington III <wak@google.com>
---
 meta-google/recipes-google/nftables/files/nft-configure.sh | 1 +
 meta-google/recipes-google/nftables/files/nftables.service | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta-google/recipes-google/nftables/files/nft-configure.sh b/meta-google/recipes-google/nftables/files/nft-configure.sh
index a82c2826f..05bb23d8b 100644
--- a/meta-google/recipes-google/nftables/files/nft-configure.sh
+++ b/meta-google/recipes-google/nftables/files/nft-configure.sh
@@ -9,6 +9,7 @@ for dir in /run/nftables /etc/nftables /usr/share/nftables; do
   let i+=1
 done
 rc=0
+nft flush ruleset || rc=$?
 for key in $(printf "%s\n" "${!basemap[@]}" | sort -r); do
   echo "Executing ${basemap[$key]}" >&2
   nft -f "${basemap[$key]}" || rc=$?
diff --git a/meta-google/recipes-google/nftables/files/nftables.service b/meta-google/recipes-google/nftables/files/nftables.service
index 79f0bb5b0..770a3d3ac 100644
--- a/meta-google/recipes-google/nftables/files/nftables.service
+++ b/meta-google/recipes-google/nftables/files/nftables.service
@@ -5,7 +5,7 @@ Before=network-pre.target
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/libexec/nft-configure.sh
-ExecStop=/bin/bash -c 'nft flush ruleset'
+ExecStop=/usr/sbin/nft flush ruleset
 
 [Install]
 WantedBy=multi-user.target
-- 
cgit v1.2.3