path: root/iptables/ip6tables.c
diff options
authorPhil Oester <>2013-05-31 09:07:04 -0400
committerPablo Neira Ayuso <>2013-06-11 12:54:30 +0200
commit93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8 (patch)
treedcaf19625096fac37cddcc80a0ff1aff673c2579 /iptables/ip6tables.c
parent34844da8f53ec80b34ad094f2fca2519a7079ec2 (diff)
ip[6]tables: Add locking to prevent concurrent instances
There have been numerous complaints and bug reports over the years when admins attempt to run more than one instance of iptables simultaneously. Currently open bug reports which are related: 325: Parallel execution of the iptables is impossible 758: Retry iptables command on transient failure 764: Doing -Z twice in parallel breaks counters 822: iptables shows negative or other bad packet/byte counts As Patrick notes in 325: "Since this has been a problem people keep running into, I'd suggest to simply add some locking to iptables to catch the most common case." I started looking into alternatives to add locking, and of course the most common/obvious solution is to use a pidfile. But this has various downsides, such as if the application is terminated abnormally and the pidfile isn't cleaned up. And this also requires a writable filesystem. Using a UNIX domain socket file (e.g. in /var/run) has similar issues. Starting in 2.2, Linux added support for abstract sockets. These sockets require no filesystem, and automatically disappear once the application terminates. This is the locking solution I chose to implement in ip[6]tables. As an added bonus, since each network namespace has its own socket pool, an ip[6]tables instance running in one namespace will not lock out an ip[6]tables instance running in another namespace. A filesystem approach would have to recognize and handle multiple network namespaces. Signed-off-by: Phil Oester <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'iptables/ip6tables.c')
1 files changed, 16 insertions, 1 deletions
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index c8d34e2d..eededee1 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -102,6 +102,7 @@ static struct option original_opts[] = {
{.name = "numeric", .has_arg = 0, .val = 'n'},
{.name = "out-interface", .has_arg = 1, .val = 'o'},
{.name = "verbose", .has_arg = 0, .val = 'v'},
+ {.name = "wait", .has_arg = 0, .val = 'w'},
{.name = "exact", .has_arg = 0, .val = 'x'},
{.name = "version", .has_arg = 0, .val = 'V'},
{.name = "help", .has_arg = 2, .val = 'h'},
@@ -257,6 +258,7 @@ exit_printhelp(const struct xtables_rule_match *matches)
" network interface name ([+] for wildcard)\n"
" --table -t table table to manipulate (default: `filter')\n"
" --verbose -v verbose mode\n"
+" --wait -w wait for the xtables lock\n"
" --line-numbers print line numbers when listing\n"
" --exact -x expand numbers (display exact values)\n"
/*"[!] --fragment -f match second or further fragments only\n"*/
@@ -1293,6 +1295,7 @@ int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle
struct in6_addr *smasks = NULL, *dmasks = NULL;
int verbose = 0;
+ bool wait = false;
const char *chain = NULL;
const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL;
const char *policy = NULL, *newname = NULL;
@@ -1328,7 +1331,7 @@ int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle
opts = xt_params->orig_opts;
while ((cs.c = getopt_long(argc, argv,
- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:46",
+ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvwnt:m:xc:g:46",
opts, NULL)) != -1) {
switch (cs.c) {
@@ -1573,6 +1576,10 @@ int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle
+ case 'w':
+ wait = true;
+ break;
case 'm':
@@ -1724,6 +1731,14 @@ int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle
"chain name `%s' too long (must be under %u chars)",
+ /* Attempt to acquire the xtables lock */
+ if (!xtables_lock(wait)) {
+ fprintf(stderr, "Another app is currently holding the xtables lock. "
+ "Perhaps you want to use the -w option?\n");
+ xtables_free_opts(1);
+ }
/* only allocate handle if we weren't called with a handle */
if (!*handle)
*handle = ip6tc_init(*table);