From d7aeda5ed45ac7ca959f12180690caa371b5b14b Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 8 Jul 2013 19:34:12 +0200
Subject: ip{6}tables-restore: fix breakage due to new locking approach

Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances),
ip{6}tables-restore does not work anymore:

iptables-restore < x
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

do_command{6}(...) is called from ip{6}tables-restore for every iptables
command contained in the rule-set file. Thus, hitting the lock error
after the second command.

Fix it by bypassing the locking in the ip{6}tables-restore path.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/ip6tables-restore.c    |  2 +-
 iptables/ip6tables-standalone.c |  2 +-
 iptables/ip6tables.c            | 10 ++++++++--
 iptables/iptables-restore.c     |  2 +-
 iptables/iptables-standalone.c  |  2 +-
 iptables/iptables.c             | 10 ++++++++--
 6 files changed, 20 insertions(+), 8 deletions(-)

(limited to 'iptables')

diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index 0e8252f4..b8b9e0dd 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -438,7 +438,7 @@ int ip6tables_restore_main(int argc, char *argv[])
 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
 
 			ret = do_command6(newargc, newargv,
-					 &newargv[2], &handle);
+					 &newargv[2], &handle, true);
 
 			free_argv();
 			fflush(stdout);
diff --git a/iptables/ip6tables-standalone.c b/iptables/ip6tables-standalone.c
index 21b58116..656e08d5 100644
--- a/iptables/ip6tables-standalone.c
+++ b/iptables/ip6tables-standalone.c
@@ -58,7 +58,7 @@ ip6tables_main(int argc, char *argv[])
 	init_extensions6();
 #endif
 
-	ret = do_command6(argc, argv, &table, &handle);
+	ret = do_command6(argc, argv, &table, &handle, false);
 	if (ret) {
 		ret = ip6tc_commit(handle);
 		ip6tc_free(handle);
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index eededee1..1fb33f6d 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1286,7 +1286,8 @@ static void command_match(struct iptables_command_state *cs)
 					     m->extra_opts, &m->option_offset);
 }
 
-int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle)
+int do_command6(int argc, char *argv[], char **table,
+		struct xtc_handle **handle, bool restore)
 {
 	struct iptables_command_state cs;
 	struct ip6t_entry *e = NULL;
@@ -1577,6 +1578,11 @@ int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle
 			break;
 
 		case 'w':
+			if (restore) {
+				xtables_error(PARAMETER_PROBLEM,
+					      "You cannot use `-w' from "
+					      "ip6tables-restore");
+			}
 			wait = true;
 			break;
 
@@ -1732,7 +1738,7 @@ int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle
 			   chain, XT_EXTENSION_MAXNAMELEN);
 
 	/* Attempt to acquire the xtables lock */
-	if (!xtables_lock(wait)) {
+	if (!restore && !xtables_lock(wait)) {
 		fprintf(stderr, "Another app is currently holding the xtables lock. "
 			"Perhaps you want to use the -w option?\n");
 		xtables_free_opts(1);
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 08225139..8c942ff6 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -438,7 +438,7 @@ iptables_restore_main(int argc, char *argv[])
 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
 
 			ret = do_command4(newargc, newargv,
-					 &newargv[2], &handle);
+					 &newargv[2], &handle, true);
 
 			free_argv();
 			fflush(stdout);
diff --git a/iptables/iptables-standalone.c b/iptables/iptables-standalone.c
index 683a44a5..4da1d7f8 100644
--- a/iptables/iptables-standalone.c
+++ b/iptables/iptables-standalone.c
@@ -58,7 +58,7 @@ iptables_main(int argc, char *argv[])
 	init_extensions4();
 #endif
 
-	ret = do_command4(argc, argv, &table, &handle);
+	ret = do_command4(argc, argv, &table, &handle, false);
 	if (ret) {
 		ret = iptc_commit(handle);
 		iptc_free(handle);
diff --git a/iptables/iptables.c b/iptables/iptables.c
index f857bebc..fe18e1cc 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1282,7 +1282,8 @@ static void command_match(struct iptables_command_state *cs)
 		xtables_error(OTHER_PROBLEM, "can't alloc memory!");
 }
 
-int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle)
+int do_command4(int argc, char *argv[], char **table,
+		struct xtc_handle **handle, bool restore)
 {
 	struct iptables_command_state cs;
 	struct ipt_entry *e = NULL;
@@ -1571,6 +1572,11 @@ int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle
 			break;
 
 		case 'w':
+			if (restore) {
+				xtables_error(PARAMETER_PROBLEM,
+					      "You cannot use `-w' from "
+					      "iptables-restore");
+			}
 			wait = true;
 			break;
 
@@ -1729,7 +1735,7 @@ int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle
 			   chain, XT_EXTENSION_MAXNAMELEN);
 
 	/* Attempt to acquire the xtables lock */
-	if (!xtables_lock(wait)) {
+	if (!restore && !xtables_lock(wait)) {
 		fprintf(stderr, "Another app is currently holding the xtables lock. "
 			"Perhaps you want to use the -w option?\n");
 		xtables_free_opts(1);
-- 
cgit v1.2.3