diff options
author | Jethro Beekman <jethro@fortanix.com> | 2022-02-14 10:35:56 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2022-02-15 23:42:05 +0100 |
commit | 07e2107ef0cbc1b81864c3c0f0ef297a9dfff44d (patch) | |
tree | eba64618054cf690c69159d3f7e95f4429e19912 /iptables/ip6tables.c | |
parent | a3980769541f6deb8d7b185de488dec6f40092f1 (diff) |
xshared: Implement xtables lock timeout using signals
Previously, if a lock timeout is specified using `-wN `, flock() is
called using LOCK_NB in a loop with a sleep. This results in two issues.
The first issue is that the process may wait longer than necessary when
the lock becomes available. For this the `-W` option was added, but this
requires fine-tuning.
The second issue is that if lock contention is high, invocations using
`-w` (without a timeout) will always win lock acquisition from
invocations that use `-w N`. This is because invocations using `-w` are
actively waiting on the lock whereas those using `-w N` only check from
time to time whether the lock is free, which will never be the case.
This patch removes the sleep loop and deprecates the `-W` option (making
it non-functional). Instead, flock() is always called in a blocking
fashion, but the alarm() function is used with a non-SA_RESTART signal
handler to cancel the system call.
Signed-off-by: Jethro Beekman <jethro@fortanix.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/ip6tables.c')
-rw-r--r-- | iptables/ip6tables.c | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index 560b6ed0..f4796b89 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -712,7 +712,6 @@ int do_command6(int argc, char *argv[], char **table, }; struct xtables_args args = { .family = AF_INET6, - .wait_interval.tv_sec = 1, }; struct ip6t_entry *e = NULL; unsigned int nsaddrs = 0, ndaddrs = 0; @@ -721,9 +720,6 @@ int do_command6(int argc, char *argv[], char **table, int verbose = 0; int wait = 0; - struct timeval wait_interval = { - .tv_sec = 1, - }; const char *chain = NULL; const char *policy = NULL, *newname = NULL; unsigned int rulenum = 0, command = 0; @@ -739,7 +735,6 @@ int do_command6(int argc, char *argv[], char **table, newname = p.newname; verbose = p.verbose; wait = args.wait; - wait_interval = args.wait_interval; nsaddrs = args.s.naddrs; ndaddrs = args.d.naddrs; saddrs = args.s.addr.v6; @@ -749,7 +744,7 @@ int do_command6(int argc, char *argv[], char **table, /* Attempt to acquire the xtables lock */ if (!restore) - xtables_lock_or_exit(wait, &wait_interval); + xtables_lock_or_exit(wait); /* only allocate handle if we weren't called with a handle */ if (!*handle) |