Re: [PATCH] iptables: iptables calls setsockopt incorrectly

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Laurence J. Lane" <ljlane@debian.org>
Cc: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH] iptables: iptables calls setsockopt incorrectly
Date: Thu, 8 Aug 2013 19:29:02 +0200	[thread overview]
Message-ID: <20130808172902.GA11296@localhost> (raw)
In-Reply-To: <CA+0KVf052HAN73aMrM95aosN-=49Esam1spX=sUyvd61sDYDRA@mail.gmail.com>

Hi Laurence,

On Thu, Aug 08, 2013 at 01:25:46PM -0400, Laurence J. Lane wrote:
> https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1187177
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710997
> 
> 
> ---------- Forwarded message ----------
> From: LaMont Jones <lamont@debian.org>
> Date: Mon, Jun 3, 2013 at 6:07 PM
> Subject: Bug#710997: iptables calls setsockopt incorrectly
> To: submit@bugs.debian.org
> 
> 
> Package: iptables
> Version: 1.4.18-1
> Tags: patch
> --
> 
> Since time immemorial, iptables has called setsockopt() and treated any
> -1 return value as fatal.  Any system call can return EAGAIN or
> EINPROGRESS (depending on the origins of the API), and good coding
> practice requires checking for that and retrying or otherwise handling
> it.
> 
> In the case of iptables, if multiple processes are calling iptables
> concurrently, then it is likely that one of them will fail.  I have seen
> this with xen, as well as certain firewall configurations where the
> firewall rules are added as triggered by interfaces being discovered and
> configured.

We have these two patch for to address this in mainstream:

http://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8
http://git.netfilter.org/iptables/commit/?id=d7aeda5ed45ac7ca959f12180690caa371b5b14b

Regards.

     prev parent reply	other threads:[~2013-08-08 17:29 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-08 17:25 [PATCH] iptables: iptables calls setsockopt incorrectly Laurence J. Lane
2013-08-08 17:29 ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130808172902.GA11296@localhost \
    --to=pablo@netfilter.org \
    --cc=ljlane@debian.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.