diff options
| author | Thomas Haller <thaller@redhat.com> | 2023-09-19 14:36:17 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-09-19 17:26:27 +0200 |
| commit | dac1fbe3d35bf5e78320c4402718628866ed9d0a (patch) | |
| tree | 96bf2bfe7f5b7fbd011518147b68e0633a898204 /src/xt.c | |
| parent | 96ee78ec4a0707114d2f8ef7590d08cfd25080ea (diff) | |
libnftables: move init-once guard inside xt_init()
A library should not restrict being used by multiple threads or make
assumptions about how it's being used. Hence a "init_once" pattern
without no locking is racy, a code smell and should be avoided.
Note that libxtables is full of global variables and when linking against
it, libnftables cannot be used from multiple threads either. That is not
easy to fix.
Move the ugliness of "init_once" away from nft_ctx_new(), so that the
problem is concentrated closer to libxtables.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/xt.c')
| -rw-r--r-- | src/xt.c | 15 |
1 files changed, 13 insertions, 2 deletions
@@ -361,7 +361,18 @@ static struct xtables_globals xt_nft_globals = { void xt_init(void) { - /* Default to IPv4, but this changes in runtime */ - xtables_init_all(&xt_nft_globals, NFPROTO_IPV4); + static bool init_once; + + if (!init_once) { + /* libxtables is full of global variables and cannot be used + * concurrently by multiple threads. Hence, it's fine that the + * "init_once" guard is not thread-safe either. + * Don't link against xtables if you want thread safety. + */ + init_once = true; + + /* Default to IPv4, but this changes in runtime */ + xtables_init_all(&xt_nft_globals, NFPROTO_IPV4); + } } #endif |