From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Oester <kernel@linuxace.com>
Cc: netfilter-devel@vger.kernel.org, kaber@trash.net
Subject: Re: [PATCH v4] xtables: Add locking to prevent concurrent instances
Date: Tue, 11 Jun 2013 12:56:23 +0200 [thread overview]
Message-ID: <20130611105623.GA20649@localhost> (raw)
In-Reply-To: <20130531130704.GA20357@gmail.com>
On Fri, May 31, 2013 at 09:07:04AM -0400, Phil Oester wrote:
> There have been numerous complaints and bug reports over the years when admins
> attempt to run more than one instance of iptables simultaneously. Currently
> open bug reports which are related:
>
> 325: Parallel execution of the iptables is impossible
> 758: Retry iptables command on transient failure
> 764: Doing -Z twice in parallel breaks counters
> 822: iptables shows negative or other bad packet/byte counts
>
> As Patrick notes in 325: "Since this has been a problem people keep running
> into, I'd suggest to simply add some locking to iptables to catch the most
> common case."
>
> I started looking into alternatives to add locking, and of course the most
> common/obvious solution is to use a pidfile. But this has various downsides,
> such as if the application is terminated abnormally and the pidfile isn't
> cleaned up. And this also requires a writable filesystem. Using a UNIX domain
> socket file (e.g. in /var/run) has similar issues.
>
> Starting in 2.2, Linux added support for abstract sockets. These sockets
> require no filesystem, and automatically disappear once the application
> terminates. This is the locking solution I chose to implement in ip[6]tables.
> As an added bonus, since each network namespace has its own socket pool, an
> ip[6]tables instance running in one namespace will not lock out an ip[6]tables
> instance running in another namespace. A filesystem approach would have
> to recognize and handle multiple network namespaces.
Applied, thanks.
I made some minor change:
> diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
> index c8d34e2..3877d2f 100644
> --- a/iptables/ip6tables.c
> +++ b/iptables/ip6tables.c
[...]
> @@ -1724,6 +1731,14 @@ int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle
> "chain name `%s' too long (must be under %u chars)",
> chain, XT_EXTENSION_MAXNAMELEN);
>
> + /* Attempt to acquire the xtables lock */
> + if (!xtables_lock(wait)) {
> + fprintf(stderr, "Another app is currently holding the xtables lock. "
> + "Perhaps you want to use the -w option?\n");
> + xtables_free_opts(1);
> + exit(1);
exit(RESOURCE_PROBLEM)
Just to make sure that scripts don't break for people that are relying
on that return value.
prev parent reply other threads:[~2013-06-11 10:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-31 13:07 [PATCH v4] xtables: Add locking to prevent concurrent instances Phil Oester
2013-06-11 10:56 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130611105623.GA20649@localhost \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=kernel@linuxace.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.