fix: add -w flag to iptables calls to prevent boot race condition

Hornet Agent · Hornet Agent · commit 633f75d48145 · 2026-02-15T22:47:03.000-05:00
The systemd service was failing on boot because another process held the
xtables lock. The -w flag makes iptables wait for the lock instead of
failing immediately. Also updated the stale persistence warning since
hornet-firewall.service already handles that.
diff --git a/bin/setup-firewall.sh b/bin/setup-firewall.sh
@@ -34,64 +34,63 @@ CHAIN="HORNET_OUTPUT"
 echo "🔒 Setting up firewall rules for hornet_agent (uid $UID_HORNET)..."
 
 # Clean up any existing rules first
-iptables -D OUTPUT -m owner --uid-owner "$UID_HORNET" -j "$CHAIN" 2>/dev/null || true
-iptables -F "$CHAIN" 2>/dev/null || true
-iptables -X "$CHAIN" 2>/dev/null || true
+iptables -w -D OUTPUT -m owner --uid-owner "$UID_HORNET" -j "$CHAIN" 2>/dev/null || true
+iptables -w -F "$CHAIN" 2>/dev/null || true
+iptables -w -X "$CHAIN" 2>/dev/null || true
 
 # Create a dedicated chain for hornet_agent
-iptables -N "$CHAIN"
+iptables -w -N "$CHAIN"
 
 # ── Localhost: allow only specific services ──────────────────────────────────
 
 # Allow Slack bridge (outbound API)
-iptables -A "$CHAIN" -o lo -p tcp --dport 7890 -j ACCEPT
+iptables -w -A "$CHAIN" -o lo -p tcp --dport 7890 -j ACCEPT
 
 # Allow Ollama (local LLM inference)
-iptables -A "$CHAIN" -o lo -p tcp --dport 11434 -j ACCEPT
+iptables -w -A "$CHAIN" -o lo -p tcp --dport 11434 -j ACCEPT
 
 # Allow DNS on localhost
-iptables -A "$CHAIN" -o lo -p udp --dport 53 -j ACCEPT
-iptables -A "$CHAIN" -o lo -p tcp --dport 53 -j ACCEPT
+iptables -w -A "$CHAIN" -o lo -p udp --dport 53 -j ACCEPT
+iptables -w -A "$CHAIN" -o lo -p tcp --dport 53 -j ACCEPT
 
 # Allow localhost responses (established connections back to us)
-iptables -A "$CHAIN" -o lo -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -w -A "$CHAIN" -o lo -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Block everything else on localhost
-iptables -A "$CHAIN" -o lo -j LOG --log-prefix "HORNET_LOCAL_BLOCKED: " --log-level 4
-iptables -A "$CHAIN" -o lo -j DROP
+iptables -w -A "$CHAIN" -o lo -j LOG --log-prefix "HORNET_LOCAL_BLOCKED: " --log-level 4
+iptables -w -A "$CHAIN" -o lo -j DROP
 
 # ── Internet: allow only standard ports ──────────────────────────────────────
 
 # Allow DNS (UDP + TCP)
-iptables -A "$CHAIN" -p udp --dport 53 -j ACCEPT
-iptables -A "$CHAIN" -p tcp --dport 53 -j ACCEPT
+iptables -w -A "$CHAIN" -p udp --dport 53 -j ACCEPT
+iptables -w -A "$CHAIN" -p tcp --dport 53 -j ACCEPT
 
 # Allow HTTP/HTTPS (web browsing, all APIs)
-iptables -A "$CHAIN" -p tcp --dport 80 -j ACCEPT
-iptables -A "$CHAIN" -p tcp --dport 443 -j ACCEPT
+iptables -w -A "$CHAIN" -p tcp --dport 80 -j ACCEPT
+iptables -w -A "$CHAIN" -p tcp --dport 443 -j ACCEPT
 
 # Allow SSH (git push/pull)
-iptables -A "$CHAIN" -p tcp --dport 22 -j ACCEPT
+iptables -w -A "$CHAIN" -p tcp --dport 22 -j ACCEPT
 
 # Allow established/related (responses to allowed outbound)
-iptables -A "$CHAIN" -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -w -A "$CHAIN" -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Log and drop everything else
-iptables -A "$CHAIN" -j LOG --log-prefix "HORNET_BLOCKED: " --log-level 4
-iptables -A "$CHAIN" -j DROP
+iptables -w -A "$CHAIN" -j LOG --log-prefix "HORNET_BLOCKED: " --log-level 4
+iptables -w -A "$CHAIN" -j DROP
 
 # Jump to our chain for all hornet_agent traffic
-iptables -A OUTPUT -m owner --uid-owner "$UID_HORNET" -j "$CHAIN"
+iptables -w -A OUTPUT -m owner --uid-owner "$UID_HORNET" -j "$CHAIN"
 
 echo "✅ Firewall active. Rules:"
 echo ""
-iptables -L "$CHAIN" -n -v --line-numbers
+iptables -w -L "$CHAIN" -n -v --line-numbers
 echo ""
 echo "Localhost allowed: 7890 (bridge), 11434 (ollama), 53 (dns)"
 echo "Internet allowed:  80, 443, 22, 53"
 echo "Everything else:   BLOCKED + LOGGED"
 echo ""
-echo "To remove: sudo iptables -D OUTPUT -m owner --uid-owner $UID_HORNET -j $CHAIN && sudo iptables -F $CHAIN && sudo iptables -X $CHAIN"
+echo "To remove: sudo iptables -w -D OUTPUT -m owner --uid-owner $UID_HORNET -j $CHAIN && sudo iptables -w -F $CHAIN && sudo iptables -w -X $CHAIN"
 echo ""
-echo "⚠️  These rules are NOT persistent across reboots."
-echo "   To persist, add to a systemd unit or use iptables-save/iptables-restore."
+echo "Persistence: hornet-firewall.service (systemd)"
