From 31e4b5906ff676a3c13060d6f456d72b7f6c90c2 Mon Sep 17 00:00:00 2001
From: Joel Goguen <contact+netfilter@jgoguen.ca>
Date: Wed, 11 Jul 2018 16:32:20 -0700
Subject: iptables-restore: free the table lock when skipping a table

Currently, when running `iptables-restore --table=X`, where `X` is not the first
table in the rules dump, the restore will fail when parsing the second table:

- a lock is acquird when parsing the first table name
- the table name does not match the parameter to `--table` so processing
  continues until the next table
- when processing the next table a lock is acquired, which fails because a lock
  is already held

Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

This will release the lock as soon as it's decided the current table won't be
used.

Signed-off-by: Joel Goguen <contact+netfilter@jgoguen.ca>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 .../testcases/ipt-restore/dumps/iptables.dump      | 30 ++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump

(limited to 'iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump')

diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
new file mode 100644
index 00000000..6e4e42d3
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
@@ -0,0 +1,30 @@
+*nat
+:PREROUTING ACCEPT [1:89]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [351:24945]
+:POSTROUTING ACCEPT [351:24945]
+COMMIT
+
+*mangle
+:PREROUTING ACCEPT [3270:1513114]
+:INPUT ACCEPT [3270:1513114]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [3528:1087907]
+:POSTROUTING ACCEPT [3546:1090751]
+COMMIT
+
+*raw
+:PREROUTING ACCEPT [3270:1513114]
+:OUTPUT ACCEPT [3528:1087907]
+COMMIT
+
+*filter
+:INPUT DROP [37:4057]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [3528:1087907]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unreachable
+COMMIT
-- 
cgit v1.2.3