path: root/
diff options
authorPhil Sutter <>2022-09-28 23:26:42 +0200
committerPhil Sutter <>2022-09-30 16:09:06 +0200
commit545edb7a8ef0a8acf991b1b7857fddc24d7b151a (patch)
treead5c041c31728c7a8d6b6ff542d93578ee271a10 /
parent0f1fbeca73b9dfcf19e04eb5ce4718528c01c2f1 (diff)
monitor: Sanitize startup race condition
During startup, 'nft monitor' first fetches the current ruleset and then keeps this cache up to date based on received events. This is racey, as any ruleset changes in between the initial fetch and the socket opening are not recognized. This script demonstrates the problem: | #!/bin/bash | | while true; do | nft flush ruleset | iptables-nft -A FORWARD | done & | maniploop=$! | | trap "kill $maniploop; kill \$!; wait" EXIT | | while true; do | nft monitor rules >/dev/null & | sleep 0.2 | kill $! | done If the table add event is missed, the rule add event callback fails to deserialize the rule and calls abort(). Avoid the inconvenient program exit by returning NULL from netlink_delinearize_rule() instead of aborting and make callers check the return value. Signed-off-by: Phil Sutter <>
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions