When using fw3 together with other applications or scripts a race
conditions might occur. When fw3 is preparing the new tables, another
application can use the executable `iptables` which modifies the
kernel-tables. libxtables will notify this and fails when fw3 is
committing the changes resulting in a failed firewall.
Now waits in a while loop until the lock is gone, activate the lock
itself and applies changes.
To reproduce the bug the following two scripts should run in parrallel,
after a few seconds the latter stop and leaves a broken firewall:
while true; do iptables -N locking; done
and
while [ "$(iptables -w -L OUTPUT | wc -l)" -gt 2 ]; do fw3 reload; done
The following message will appear
Warning: iptc_commit(): Resource temporarily unavailable
and connectivity is gone.
Tested in an LXC and Qemu container.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
[fixed waiting for unlock and commit message]
Signed-off-by: Paul Spooren <mail@aparcar.org>
#include "iptables.h"
+#define XT_LOCK_NAME "/var/run/xtables.lock"
+static int xt_lock_fd = -1;
struct fw3_ipt_rule {
struct fw3_ipt_handle *h;
xtables_init();
+ while (!fw3_lock_path(&xt_lock_fd, XT_LOCK_NAME)) {
+ warn("Currently busy xtables.lock - wait 1 second");
+ sleep(1);
+ }
+
if (family == FW3_FAMILY_V6)
{
#ifndef DISABLE_IPV6
if (!h->handle)
{
free(h);
+ fw3_unlock_path(&xt_lock_fd, XT_LOCK_NAME);
return NULL;
}
void
fw3_ipt_close(struct fw3_ipt_handle *h)
{
+ fw3_unlock_path(&xt_lock_fd, XT_LOCK_NAME);
free(h);
}
projects / oweals / firewall3.git / commitdiff