From 07e2107ef0cbc1b81864c3c0f0ef297a9dfff44d Mon Sep 17 00:00:00 2001 From: Jethro Beekman Date: Mon, 14 Feb 2022 10:35:56 +0100 Subject: xshared: Implement xtables lock timeout using signals Previously, if a lock timeout is specified using `-wN `, flock() is called using LOCK_NB in a loop with a sleep. This results in two issues. The first issue is that the process may wait longer than necessary when the lock becomes available. For this the `-W` option was added, but this requires fine-tuning. The second issue is that if lock contention is high, invocations using `-w` (without a timeout) will always win lock acquisition from invocations that use `-w N`. This is because invocations using `-w` are actively waiting on the lock whereas those using `-w N` only check from time to time whether the lock is free, which will never be the case. This patch removes the sleep loop and deprecates the `-W` option (making it non-functional). Instead, flock() is always called in a blocking fashion, but the alarm() function is used with a non-SA_RESTART signal handler to cancel the system call. Signed-off-by: Jethro Beekman Signed-off-by: Florian Westphal --- iptables/iptables.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'iptables/iptables.c') diff --git a/iptables/iptables.c b/iptables/iptables.c index f5fe868c..ccebb1a6 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -706,15 +706,11 @@ int do_command4(int argc, char *argv[], char **table, }; struct xtables_args args = { .family = AF_INET, - .wait_interval.tv_sec = 1, }; struct ipt_entry *e = NULL; unsigned int nsaddrs = 0, ndaddrs = 0; struct in_addr *saddrs = NULL, *smasks = NULL; struct in_addr *daddrs = NULL, *dmasks = NULL; - struct timeval wait_interval = { - .tv_sec = 1, - }; int verbose = 0; int wait = 0; const char *chain = NULL; @@ -732,7 +728,6 @@ int do_command4(int argc, char *argv[], char **table, newname = p.newname; verbose = p.verbose; wait = args.wait; - wait_interval = args.wait_interval; nsaddrs = args.s.naddrs; ndaddrs = args.d.naddrs; saddrs = args.s.addr.v4; @@ -742,7 +737,7 @@ int do_command4(int argc, char *argv[], char **table, /* Attempt to acquire the xtables lock */ if (!restore) - xtables_lock_or_exit(wait, &wait_interval); + xtables_lock_or_exit(wait); /* only allocate handle if we weren't called with a handle */ if (!*handle) -- cgit v1.2.3