meta-google: nftables: Make rule loading atomic This ensures that all of the rules are processed and unexpected packets are not allowed or blocked by the kernel at any time. Change-Id: Ia7bb1d7f604f8ed1bd9759a23e370d20cb0c690d Signed-off-by: William A. Kennington III <wak@google.com>

commit: 7356f8ebcb6b0e4c06018c748b7c5771b41e007e [log] [tgz]
author: William A. Kennington III <wak@google.com> Wed Dec 15 02:21:52 2021 -0800
committer: William A. Kennington III <wak@google.com> Wed Dec 15 23:56:47 2021 +0000
tree: b25eb5ca71f9040d838b5276144e32d616315d91
parent: bdccd86cc18f9dba43fb488797f91d941035254f [diff] [blame]
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
index 30b2b65..074ec57 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in

@@ -46,9 +46,7 @@
   mkdir -p -m 755 "$(dirname "$rfile")"
   printf '%s' "$contents" >"$rfile"
 
-  echo 'Restarting nftables' >&2
-  systemctl reset-failed nftables
-  systemctl --no-block restart nftables
+  systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true
 }
 
 gbmc_ncsi_nft_hook() {
commit	7356f8ebcb6b0e4c06018c748b7c5771b41e007e	[log] [tgz]
author	William A. Kennington III <wak@google.com>	Wed Dec 15 02:21:52 2021 -0800
committer	William A. Kennington III <wak@google.com>	Wed Dec 15 23:56:47 2021 +0000
tree	b25eb5ca71f9040d838b5276144e32d616315d91
parent	bdccd86cc18f9dba43fb488797f91d941035254f [diff] [blame]