diff options
| author | Jethro Beekman <jethro@fortanix.com> | 2022-02-14 10:35:56 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2022-02-15 23:42:05 +0100 |
| commit | 07e2107ef0cbc1b81864c3c0f0ef297a9dfff44d (patch) | |
| tree | eba64618054cf690c69159d3f7e95f4429e19912 /iptables/iptables.c | |
| parent | a3980769541f6deb8d7b185de488dec6f40092f1 (diff) | |
xshared: Implement xtables lock timeout using signals
Previously, if a lock timeout is specified using `-wN `, flock() is
called using LOCK_NB in a loop with a sleep. This results in two issues.
The first issue is that the process may wait longer than necessary when
the lock becomes available. For this the `-W` option was added, but this
requires fine-tuning.
The second issue is that if lock contention is high, invocations using
`-w` (without a timeout) will always win lock acquisition from
invocations that use `-w N`. This is because invocations using `-w` are
actively waiting on the lock whereas those using `-w N` only check from
time to time whether the lock is free, which will never be the case.
This patch removes the sleep loop and deprecates the `-W` option (making
it non-functional). Instead, flock() is always called in a blocking
fashion, but the alarm() function is used with a non-SA_RESTART signal
handler to cancel the system call.
Signed-off-by: Jethro Beekman <jethro@fortanix.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/iptables.c')
| -rw-r--r-- | iptables/iptables.c | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/iptables/iptables.c b/iptables/iptables.c index f5fe868c..ccebb1a6 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -706,15 +706,11 @@ int do_command4(int argc, char *argv[], char **table, }; struct xtables_args args = { .family = AF_INET, - .wait_interval.tv_sec = 1, }; struct ipt_entry *e = NULL; unsigned int nsaddrs = 0, ndaddrs = 0; struct in_addr *saddrs = NULL, *smasks = NULL; struct in_addr *daddrs = NULL, *dmasks = NULL; - struct timeval wait_interval = { - .tv_sec = 1, - }; int verbose = 0; int wait = 0; const char *chain = NULL; @@ -732,7 +728,6 @@ int do_command4(int argc, char *argv[], char **table, newname = p.newname; verbose = p.verbose; wait = args.wait; - wait_interval = args.wait_interval; nsaddrs = args.s.naddrs; ndaddrs = args.d.naddrs; saddrs = args.s.addr.v4; @@ -742,7 +737,7 @@ int do_command4(int argc, char *argv[], char **table, /* Attempt to acquire the xtables lock */ if (!restore) - xtables_lock_or_exit(wait, &wait_interval); + xtables_lock_or_exit(wait); /* only allocate handle if we weren't called with a handle */ if (!*handle) |