Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#943 - iptables 1.6.1 fails to acquire a lock because /run/ does not exist #7342

Closed
openwrt-bot opened this issue Aug 1, 2017 · 3 comments
Closed
Labels

Comments

@openwrt-bot
Copy link

@openwrt-bot openwrt-bot commented Aug 1, 2017

charlemagnelasse:

Just flashed a device with the current snapshot of LEDE (https://downloads.lede-project.org/snapshots/targets/ar71xx/generic/; r4657-bb4d500). And then I've wanted to use locking with iptables but noticed that the lock was just not working:

root@LEDE:/# strace iptables -w -L ... open("/run/xtables.lock", O_RDONLY|O_CREAT|O_LARGEFILE, 0600) = -1 ENOENT (No such file or directory) socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3 fcntl64(3, F_SETFD, FD_CLOEXEC) = 0 getsockopt(3, SOL_IP, IPT_SO_GET_INFO, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0 ...

The lock was basically ignored and the socket was opened without the lock opened. The package is missing following things:

It is not save to use multiple (writing) iptables processes without locking. It is therefore a rather big problem that it is broken at the moment

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented Aug 1, 2017

charlemagnelasse:

Here is the list of required changes again:

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented Aug 1, 2017

charlemagnelasse:

Here is the output of a patched version (don't forget to update the configure script):

root@LEDE:/# strace -e open,flock iptables -w -L ... open("/var/lock/xtables.lock", O_RDONLY|O_CREAT|O_LARGEFILE, 0600) = 3 flock(3, LOCK_EX) ....

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented Aug 25, 2017

bjonglez:

All these iptables changes are still unreleased. They will be picked up whenever a new version of iptables is released and updated in LEDE.

Feel free to submit a patch when the next version is released, and in the meantime you can submit a patch that simply changes the path to the lock.

https://lede-project.org/submitting-patches

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant