Permalink
Browse files

[Bugfix] Added netfilter lock when more than one iptables command is …

…executed at the same time

Signed-off-by: Emilio <emilio.campos@zevenet.com>

	modified:   app/checkglobalconf/global.conf.tpl
	modified:   www/farms_functions.cgi
	modified:   www/nf_functions.cgi
  • Loading branch information...
emiliocampos-zevenet committed Jun 29, 2017
1 parent f0f5bda commit 8ae45c6687da74e7acd4b2907262512cad46e672
Showing with 53 additions and 10 deletions.
  1. +5 −1 app/checkglobalconf/global.conf.tpl
  2. +19 −0 www/farms_functions.cgi
  3. +29 −9 www/nf_functions.cgi
@@ -27,7 +27,7 @@ $rttables = "/etc/iproute2/rt_tables";
#this file
$globalcfg = "/usr/local/zenloadbalancer/config/global.conf";
#version ZEN
$version="4.0.4";#update
$version="4.0.5";#update
#Cipher PCI
$cipher_pci="DEFAULT";#update
#BUY SSL Certificates
@@ -121,6 +121,10 @@ $defaultgwif="";
#Number of gratuitous pings
$pingc="1";
## L4xNat - netfilter
# Iptables lock filename
$iptlock = "/tmp/iptables.lock";
#Directory where is check script. In this directory you can save your own check scripts.
$libexec_dir="/usr/local/zenloadbalancer/app/libexec";
#FarmGuardian binary, create advanced check for backend servers
View
@@ -2616,6 +2616,18 @@ sub _runFarmStart($fname,$writeconf)
push ( @tnat, $red );
}
## lock iptables use ##
my $open_rc = open ( my $ipt_lockfile, '>', $iptlock );
if ( $open_rc )
{
&setIptLock( $ipt_lockfile );
}
else
{
&logfile( "Cannot open $iptlock: $!" );
}
# not used
foreach $nraw ( @traw )
{
@@ -2736,6 +2748,13 @@ sub _runFarmStart($fname,$writeconf)
}
}
## unlock iptables use ##
if ( $open_rc )
{
&setIptUnlock( $ipt_lockfile );
close $ipt_lockfile;
}
# Enable IP forwarding
&setIpForward( "true" );
View
@@ -21,6 +21,8 @@
#
###############################################################################
use Fcntl qw(:flock SEEK_END);
#
sub loadNfModule($modname,$params)
{
@@ -324,17 +326,35 @@ sub genIptMasquerade($fname,$nattype,$index,$proto,$mark,$state)
return $rule;
}
# get conntrack sessions
sub getConntrackExpect($args)
#lock iptables
sub setIptLock # ($lockfile)
{
( $args ) = @_;
open CONNS, "</proc/net/nf_conntrack_expect";
my $ipt_lockfile = shift;
if ( flock ( $ipt_lockfile, LOCK_EX ) )
{
&logfile( "Success locking IPTABLES" );
}
else
{
&logfile( "Cannot lock iptables: $!" );
}
}
#open CONNS, "</proc/net/nf_conntrack";
my @expect = <CONNS>;
close CONNS;
return @expect;
#unlock iptables
sub setIptUnlock # ($lockfile)
{
my $ipt_lockfile = shift;
if ( flock ( $ipt_lockfile, LOCK_UN ) )
{
&logfile( "Success unlocking IPTABLES" );
}
else
{
&logfile( "Cannot unlock iptables: $!" );
}
}
# do not remove this
1
1;

0 comments on commit 8ae45c6

Please sign in to comment.