* [PATCH v2] xtables: Add locking to prevent concurrent instances
@ 2013-05-22 22:36 Phil Oester
0 siblings, 0 replies; only message in thread
From: Phil Oester @ 2013-05-22 22:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo, kaber
[-- Attachment #1: Type: text/plain, Size: 1604 bytes --]
There have been numerous complaints and bug reports over the years when admins
attempt to run more than one instance of iptables simultaneously. Currently
open bug reports which are related:
325: Parallel execution of the iptables is impossible
758: Retry iptables command on transient failure
764: Doing -Z twice in parallel breaks counters
822: iptables shows negative or other bad packet/byte counts
As Patrick notes in 325: "Since this has been a problem people keep running
into, I'd suggest to simply add some locking to iptables to catch the most
common case."
I started looking into alternatives to add locking, and of course the most
common/obvious solution is to use a pidfile. But this has various downsides,
such as if the application is terminated abnormally and the pidfile isn't
cleaned up. And this also requires a writable filesystem. Using a UNIX domain
socket file (e.g. in /var/run) has similar issues.
Starting in 2.2, Linux added support for abstract sockets. These sockets
require no filesystem, and automatically disappear once the application
terminates. This is the locking solution I chose to implement in xtables-multi.
As an added bonus, since each network namespace has its own socket pool, an
iptables instance running in one namespace will not lock out an iptables
instance running in another namespace. A filesystem approach would have
to recognize and handle multiple network namespaces.
Changes from v1:
- Addressed Patrick's comments - locking attempts will be made indefinitely
until successful.
Phil
Signed-off-by: Phil Oester <kernel@linuxace.com>
[-- Attachment #2: patch-xtables-lock --]
[-- Type: text/plain, Size: 1297 bytes --]
diff --git a/iptables/xtables-multi.c b/iptables/xtables-multi.c
index 8014d5f..5a57375 100644
--- a/iptables/xtables-multi.c
+++ b/iptables/xtables-multi.c
@@ -1,8 +1,12 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
#include "xshared.h"
+#include "xtables.h"
#include "xtables-multi.h"
#ifdef ENABLE_IPV4
@@ -35,7 +39,31 @@ static const struct subcommand multi_subcommands[] = {
{NULL},
};
+#define XTMSOCKET_NAME "xtables_multi"
+#define XTMSOCKET_LEN 14
+
int main(int argc, char **argv)
{
+ int i = 0, ret, xtm_socket;
+ struct sockaddr_un xtm_addr;
+
+ memset(&xtm_addr, 0, sizeof(xtm_addr));
+ xtm_addr.sun_family = AF_UNIX;
+ strcpy(xtm_addr.sun_path+1, XTMSOCKET_NAME);
+ xtm_socket = socket(AF_UNIX, SOCK_STREAM, 0);
+ /* If we can't even create a socket, just revert to prior (lockless) behavior */
+ if (xtm_socket < 0)
+ return subcmd_main(argc, argv, multi_subcommands);
+
+ while (1) {
+ ret = bind(xtm_socket, (struct sockaddr*)&xtm_addr,
+ offsetof(struct sockaddr_un, sun_path)+XTMSOCKET_LEN);
+ if (ret == 0)
+ break;
+ if (++i % 5 == 0)
+ fprintf(stderr, "Waiting for lock, standby...\n");
+ sleep(1);
+ }
+
return subcmd_main(argc, argv, multi_subcommands);
}
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2013-05-22 22:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-05-22 22:36 [PATCH v2] xtables: Add locking to prevent concurrent instances Phil Oester
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).