meta-google: nftables: Make rule loading atomic

This ensures that all of the rules are processed and unexpected packets
are not allowed or blocked by the kernel at any time.

Change-Id: Ia7bb1d7f604f8ed1bd9759a23e370d20cb0c690d
Signed-off-by: William A. Kennington III <wak@google.com>
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
index 677ef28..9d9f789 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in
@@ -88,7 +88,7 @@
   else
     printf '%s' "$nfcontents" >"$rfile"
   fi
-  systemctl reset-failed nftables && systemctl --no-block restart nftables || true
+  systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true
 }
 
 gbmc_ncsi_br_deprecated_ips_hook() {
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
index 30b2b65..074ec57 100644
--- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
+++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in
@@ -46,9 +46,7 @@
   mkdir -p -m 755 "$(dirname "$rfile")"
   printf '%s' "$contents" >"$rfile"
 
-  echo 'Restarting nftables' >&2
-  systemctl reset-failed nftables
-  systemctl --no-block restart nftables
+  systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true
 }
 
 gbmc_ncsi_nft_hook() {
diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh
index 980f7b6..ca4e15a 100644
--- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh
+++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh
@@ -37,9 +37,7 @@
   mkdir -p -m 755 "$(dirname "$rfile")"
   printf '%s' "$contents" >"$rfile"
 
-  echo 'Restarting nftables' >&2
-  systemctl reset-failed nftables
-  systemctl --no-block restart nftables
+  systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true
 }
 
 gbmc_br_nft_hook() {
diff --git a/meta-google/recipes-google/nftables/files/nft-configure.sh b/meta-google/recipes-google/nftables/files/nft-configure.sh
index 05bb23d..8c8e058 100644
--- a/meta-google/recipes-google/nftables/files/nft-configure.sh
+++ b/meta-google/recipes-google/nftables/files/nft-configure.sh
@@ -8,10 +8,14 @@
   done
   let i+=1
 done
-rc=0
-nft flush ruleset || rc=$?
+
+rules=""
+trap 'rm -f -- "$rules"' TERM INT EXIT ERR
+rules="$(mktemp)" || exit
+echo 'flush ruleset' >"$rules"
 for key in $(printf "%s\n" "${!basemap[@]}" | sort -r); do
-  echo "Executing ${basemap[$key]}" >&2
-  nft -f "${basemap[$key]}" || rc=$?
+  echo "Loading ${basemap[$key]}" >&2
+  echo '' >>"$rules"
+  cat "${basemap[$key]}" >>"$rules"
 done
-exit $rc
+nft -f "$rules" || exit
diff --git a/meta-google/recipes-google/nftables/files/nftables.service b/meta-google/recipes-google/nftables/files/nftables.service
index 770a3d3..1a93812 100644
--- a/meta-google/recipes-google/nftables/files/nftables.service
+++ b/meta-google/recipes-google/nftables/files/nftables.service
@@ -5,6 +5,7 @@
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/libexec/nft-configure.sh
+ExecReload=/usr/libexec/nft-configure.sh
 ExecStop=/usr/sbin/nft flush ruleset
 
 [Install]