From 7356f8ebcb6b0e4c06018c748b7c5771b41e007e Mon Sep 17 00:00:00 2001
From: "William A. Kennington III" <wak@google.com>
Date: Wed, 15 Dec 2021 02:21:52 -0800
Subject: meta-google: nftables: Make rule loading atomic

This ensures that all of the rules are processed and unexpected packets
are not allowed or blocked by the kernel at any time.

Change-Id: Ia7bb1d7f604f8ed1bd9759a23e370d20cb0c690d
Signed-off-by: William A. Kennington III <wak@google.com>
---
 meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh')

diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh
index 980f7b6d6..ca4e15a1f 100644
--- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh
+++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh
@@ -37,9 +37,7 @@ gbmc_br_nft_update() {
   mkdir -p -m 755 "$(dirname "$rfile")"
   printf '%s' "$contents" >"$rfile"
 
-  echo 'Restarting nftables' >&2
-  systemctl reset-failed nftables
-  systemctl --no-block restart nftables
+  systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true
 }
 
 gbmc_br_nft_hook() {
-- 
cgit v1.2.3