Re: [PATCH] xtables: Add locking to prevent concurrent instances

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Phil Oester <kernel@linuxace.com>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org
Subject: Re: [PATCH] xtables: Add locking to prevent concurrent instances
Date: Wed, 22 May 2013 16:04:28 -0400	[thread overview]
Message-ID: <20130522200428.GA12199@gmail.com> (raw)
In-Reply-To: <65164901-9a18-4349-973f-6b541beba6b3@email.android.com>

On Wed, May 22, 2013 at 09:29:06PM +0200, Patrick McHardy wrote:
> If I'm not mistaken, we retry failed operations since a few years now, so is this actually still a problem? 
> 
> If so, why abort after three tries instead of waiting until the lock can be acquired?

Not sure what you are referring to with retrying operations.  The race condition
between multiple simultaneous instances of iptables running still exists in
latest git.  For example, fire up a few simultanous instances of this:

# while : ;  do iptables -A INPUT -j ACCEPT ; iptables -D INPUT -j ACCEPT ; done
iptables: Resource temporarily unavailable.
iptables: Resource temporarily unavailable.
iptables: Invalid argument. Run `dmesg' for more information.
iptables: Resource temporarily unavailable.
iptables: Resource temporarily unavailable.

Bug 764 is another race problem where two simultaneous "iptables -Z" causes
counters to get reset to invalid numbers (and is reproducible with current git).  

As to your second question re: why only three tries (in 3 seconds): I suppose we
could just wait "forever".  In most normal cases I wouldn't expect a wait > 1
second for an instance to complete.  But there could be pathological corner cases
such as dumping a huge ruleset with DNS resolution (i.e. without -n) which could
take an eternity to complete.  Should we spit out (to stderr) some kind of
message in these cases, or just sit silently?  Perhaps every 5 seconds?

Phil

next prev parent reply	other threads:[~2013-05-22 20:04 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-05-22 17:35 [PATCH] xtables: Add locking to prevent concurrent instances Phil Oester
2013-05-22 19:29 ` Patrick McHardy
2013-05-22 20:04   ` Phil Oester [this message]
2013-05-22 20:11     ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130522200428.GA12199@gmail.com \
    --to=kernel@linuxace.com \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).