Fix stuck nftables load

Previously, the ssh connection got stuck when first loading the nftables ruleset. I now found the reason for this: conntrack was not active before loading the ruleset, so there was no conntrack entry for the ssh connection. This means the traffic was not matched by 'ct state established', and the other output rules did not allow the traffic. To fix this, we can load a ruleset at boot which uses conntrack; this ensures that conntrack is already enabled when loading the actual ruleset over ssh.
2025-03-07 12:41:24 +01:00 · 2025-03-07 12:41:24 +01:00 · 500ca36444
commit 500ca36444
parent 0352ad997f
4 changed files with 23 additions and 4 deletions
--- a/contestops/configure-machines.sh
+++ b/contestops/configure-machines.sh
@ -10,9 +10,7 @@ parallel-scp -x "-F local.ssh_config" -h hostlist ./config-hosts /etc/hosts

 # Configure firewall.
 parallel-scp -x "-F local.ssh_config" -h hostlist ./config-nftables.conf /etc/nftables.conf
-parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl enable nftables.service
-# For some unknown reason nft gets stuck the first time it is run.
-parallel-ssh -x "-F local.ssh_config" -h hostlist --par 30 systemctl start nftables.service
+parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl reload nftables.service

 # Uncomment these lines if machines have 4K displays. This scales display to 2x.
 # parallel-scp -x "-F local.ssh_config" -h hostlist ./set-display-scale.py /usr/local/bin/set-display-scale.py
--- a/contestops/readme.md
+++ b/contestops/readme.md
@ -122,7 +122,6 @@ You can look these up with `host contest.soi.ch`.
 Edit `contest-lock.json` to fill in the title and start time of the contest.

 Apply the configuration to machines.
-If the script gets stuck, press Ctrl+C and run it again.

 ```bash
 ./configure-machines.sh