From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Laurence J. Lane" <ljlane@debian.org>
Cc: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH] iptables: iptables calls setsockopt incorrectly
Date: Thu, 8 Aug 2013 19:29:02 +0200 [thread overview]
Message-ID: <20130808172902.GA11296@localhost> (raw)
In-Reply-To: <CA+0KVf052HAN73aMrM95aosN-=49Esam1spX=sUyvd61sDYDRA@mail.gmail.com>
Hi Laurence,
On Thu, Aug 08, 2013 at 01:25:46PM -0400, Laurence J. Lane wrote:
> https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1187177
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710997
>
>
> ---------- Forwarded message ----------
> From: LaMont Jones <lamont@debian.org>
> Date: Mon, Jun 3, 2013 at 6:07 PM
> Subject: Bug#710997: iptables calls setsockopt incorrectly
> To: submit@bugs.debian.org
>
>
> Package: iptables
> Version: 1.4.18-1
> Tags: patch
> --
>
> Since time immemorial, iptables has called setsockopt() and treated any
> -1 return value as fatal. Any system call can return EAGAIN or
> EINPROGRESS (depending on the origins of the API), and good coding
> practice requires checking for that and retrying or otherwise handling
> it.
>
> In the case of iptables, if multiple processes are calling iptables
> concurrently, then it is likely that one of them will fail. I have seen
> this with xen, as well as certain firewall configurations where the
> firewall rules are added as triggered by interfaces being discovered and
> configured.
We have these two patch for to address this in mainstream:
http://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8
http://git.netfilter.org/iptables/commit/?id=d7aeda5ed45ac7ca959f12180690caa371b5b14b
Regards.
prev parent reply other threads:[~2013-08-08 17:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-08 17:25 [PATCH] iptables: iptables calls setsockopt incorrectly Laurence J. Lane
2013-08-08 17:29 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130808172902.GA11296@localhost \
--to=pablo@netfilter.org \
--cc=ljlane@debian.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).