path: root/iptables/xshared.c
Commit message (Collapse)AuthorAgeFilesLines
* xshared: calm down compilation warningPablo Neira Ayuso2015-02-181-0/+1
| | | | | | | xshared.c: In function ‘xtables_lock’: xshared.c:255:3: warning: implicit declaration of function ‘flock’ [-Wimplicit-function-declaration] Signed-off-by: Pablo Neira Ayuso <>
* iptables: use flock() instead of abstract unix socketsPablo Neira Ayuso2015-01-201-15/+7
| | | | | | | | | | | | | Abstract unix sockets cannot be used to synchronize several concurrent instances of iptables since an unpriviledged process can create them and prevent the legitimate iptables instance from running. Use flock() and /run instead as suggested by Lennart Poettering. Fixes: 93587a0 ("ip[6]tables: Add locking to prevent concurrent instances") Reported-by: Lennart Poettering <> Cc: Phil Oester <> Signed-off-by: Pablo Neira Ayuso <>
* iptables: add optional [seconds] argument to -wJiri Popelka2014-07-251-3/+5
| | | | | | | | | | | | | | | | | | | | | | This patch adds an optional numeric argument to -w option (added with 93587a0) so one can specify how long to wait for an exclusive lock. If the value isn't specified it works as before, i.e. program waits indefinitely. If user specifies it, program exits after the given time interval passes. This patch also adds the -w/--wait to nftables compat code, so the parser doesn't complain. [ In the original patch, iptables-compat -w X was not working, I have fixed by adding the dummy code not to break scripts using the new optional argument --pablo ] Signed-off-by: Jiri Popelka <> Signed-off-by: Pablo Neira Ayuso <>
* ip[6]tables: Add locking to prevent concurrent instancesPhil Oester2013-06-111-0/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There have been numerous complaints and bug reports over the years when admins attempt to run more than one instance of iptables simultaneously. Currently open bug reports which are related: 325: Parallel execution of the iptables is impossible 758: Retry iptables command on transient failure 764: Doing -Z twice in parallel breaks counters 822: iptables shows negative or other bad packet/byte counts As Patrick notes in 325: "Since this has been a problem people keep running into, I'd suggest to simply add some locking to iptables to catch the most common case." I started looking into alternatives to add locking, and of course the most common/obvious solution is to use a pidfile. But this has various downsides, such as if the application is terminated abnormally and the pidfile isn't cleaned up. And this also requires a writable filesystem. Using a UNIX domain socket file (e.g. in /var/run) has similar issues. Starting in 2.2, Linux added support for abstract sockets. These sockets require no filesystem, and automatically disappear once the application terminates. This is the locking solution I chose to implement in ip[6]tables. As an added bonus, since each network namespace has its own socket pool, an ip[6]tables instance running in one namespace will not lock out an ip[6]tables instance running in another namespace. A filesystem approach would have to recognize and handle multiple network namespaces. Signed-off-by: Phil Oester <> Signed-off-by: Pablo Neira Ayuso <>
* src: resolve old macro names that are indirectionsJan Engelhardt2011-09-111-1/+1
| | | | | | | | | | | Command used: git grep -f <(pcregrep -hior '(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/) and then fix all occurrences. Signed-off-by: Jan Engelhardt <>
* extensions: support for per-extension instance "global" variable spaceJan Engelhardt2011-06-211-0/+18
| | | | Signed-off-by: Jan Engelhardt <>
* iptables: consolidate target/match init callJan Engelhardt2011-06-211-2/+13
| | | | | | | This is useful for the upcoming patch about per-instance auxiliary data. Signed-off-by: Jan Engelhardt <>
* option: fix ignored negation before implicit extension loadingJan Engelhardt2011-06-071-5/+7
| | | | | | | | | | | | `iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it was not present in a subsequent `iptables -S`. Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto extension, cs.invert must not be touched until the next getopt call. This is now fixed by having command_default return a value to indicate whether to jump or not. Signed-off-by: Jan Engelhardt <>
* src: move all iptables pieces into a separate directoryJan Engelhardt2011-06-071-0/+207
(Unclutter top-level dir) Signed-off-by: Jan Engelhardt <>