0051-ebtables-Use-flock-for-concurrent-option.patch 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146
  1. From: Sven Eckelmann <sven@narfation.org>
  2. Date: Wed, 20 Dec 2017 16:55:17 +0100
  3. Subject: ebtables: Use flock() for --concurrent option
  4. The previous locking mechanism was not atomic, hence it was possible
  5. that a killed ebtables process would leave the lock file in place which
  6. in turn made future ebtables processes wait indefinitely for the lock to
  7. become free.
  8. Fix this by using flock(). This also simplifies code quite a bit because
  9. there is no need for a custom signal handler or an __exit routine
  10. anymore.
  11. diff --git a/package/network/utils/ebtables/patches/300-fix-concurrent.patch b/package/network/utils/ebtables/patches/300-fix-concurrent.patch
  12. new file mode 100644
  13. index 0000000000000000000000000000000000000000..1a99162bf51cd175e26d49e7ee5277b8b8645f48
  14. --- /dev/null
  15. +++ b/package/network/utils/ebtables/patches/300-fix-concurrent.patch
  16. @@ -0,0 +1,127 @@
  17. +From 6a826591878db3fa9e2a94b87a3d5edd8e0fc442 Mon Sep 17 00:00:00 2001
  18. +From: Phil Sutter <phil@nwl.cc>
  19. +Date: Fri, 6 Oct 2017 12:48:50 +0200
  20. +Subject: Use flock() for --concurrent option
  21. +
  22. +The previous locking mechanism was not atomic, hence it was possible
  23. +that a killed ebtables process would leave the lock file in place which
  24. +in turn made future ebtables processes wait indefinitely for the lock to
  25. +become free.
  26. +
  27. +Fix this by using flock(). This also simplifies code quite a bit because
  28. +there is no need for a custom signal handler or an __exit routine
  29. +anymore.
  30. +
  31. +Signed-off-by: Phil Sutter <phil@nwl.cc>
  32. +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  33. +
  34. +Origin: upstream, https://git.netfilter.org/ebtables/commit/?id=6a826591878db3fa9e2a94b87a3d5edd8e0fc442
  35. +---
  36. + ebtables.c | 8 --------
  37. + libebtc.c | 49 +++++--------------------------------------------
  38. + 2 files changed, 5 insertions(+), 52 deletions(-)
  39. +
  40. +diff --git a/ebtables.c b/ebtables.c
  41. +index 62f1ba8..f7dfccf 100644
  42. +--- a/ebtables.c
  43. ++++ b/ebtables.c
  44. +@@ -528,12 +528,6 @@ void ebt_early_init_once()
  45. + ebt_iterate_targets(merge_target);
  46. + }
  47. +
  48. +-/* signal handler, installed when the option --concurrent is specified. */
  49. +-static void sighandler(int signum)
  50. +-{
  51. +- exit(-1);
  52. +-}
  53. +-
  54. + /* We use exec_style instead of #ifdef's because ebtables.so is a shared object. */
  55. + int do_command(int argc, char *argv[], int exec_style,
  56. + struct ebt_u_replace *replace_)
  57. +@@ -1047,8 +1041,6 @@ big_iface_length:
  58. + strcpy(replace->filename, optarg);
  59. + break;
  60. + case 13 : /* concurrent */
  61. +- signal(SIGINT, sighandler);
  62. +- signal(SIGTERM, sighandler);
  63. + use_lockfd = 1;
  64. + break;
  65. + case 1 :
  66. +diff --git a/libebtc.c b/libebtc.c
  67. +index 74830ec..c0ff8cc 100644
  68. +--- a/libebtc.c
  69. ++++ b/libebtc.c
  70. +@@ -31,6 +31,7 @@
  71. + #include "include/ethernetdb.h"
  72. + #include <unistd.h>
  73. + #include <fcntl.h>
  74. ++#include <sys/file.h>
  75. + #include <sys/wait.h>
  76. + #include <sys/stat.h>
  77. + #include <sys/types.h>
  78. +@@ -137,58 +138,18 @@ void ebt_list_extensions()
  79. + #define LOCKDIR "/var/lib/ebtables"
  80. + #define LOCKFILE LOCKDIR"/lock"
  81. + #endif
  82. +-static int lockfd = -1, locked;
  83. + int use_lockfd;
  84. + /* Returns 0 on success, -1 when the file is locked by another process
  85. + * or -2 on any other error. */
  86. + static int lock_file()
  87. + {
  88. +- int try = 0;
  89. +- int ret = 0;
  90. +- sigset_t sigset;
  91. +-
  92. +-tryagain:
  93. +- /* the SIGINT handler will call unlock_file. To make sure the state
  94. +- * of the variable locked is correct, we need to temporarily mask the
  95. +- * SIGINT interrupt. */
  96. +- sigemptyset(&sigset);
  97. +- sigaddset(&sigset, SIGINT);
  98. +- sigprocmask(SIG_BLOCK, &sigset, NULL);
  99. +- lockfd = open(LOCKFILE, O_CREAT | O_EXCL | O_WRONLY, 00600);
  100. +- if (lockfd < 0) {
  101. +- if (errno == EEXIST)
  102. +- ret = -1;
  103. +- else if (try == 1)
  104. +- ret = -2;
  105. +- else {
  106. +- if (mkdir(LOCKDIR, 00700))
  107. +- ret = -2;
  108. +- else {
  109. +- try = 1;
  110. +- goto tryagain;
  111. +- }
  112. +- }
  113. +- } else {
  114. +- close(lockfd);
  115. +- locked = 1;
  116. +- }
  117. +- sigprocmask(SIG_UNBLOCK, &sigset, NULL);
  118. +- return ret;
  119. +-}
  120. ++ int fd = open(LOCKFILE, O_CREAT, 00600);
  121. +
  122. +-void unlock_file()
  123. +-{
  124. +- if (locked) {
  125. +- remove(LOCKFILE);
  126. +- locked = 0;
  127. +- }
  128. ++ if (fd < 0)
  129. ++ return -2;
  130. ++ return flock(fd, LOCK_EX);
  131. + }
  132. +
  133. +-void __attribute__ ((destructor)) onexit()
  134. +-{
  135. +- if (use_lockfd)
  136. +- unlock_file();
  137. +-}
  138. + /* Get the table from the kernel or from a binary file
  139. + * init: 1 = ask the kernel for the initial contents of a table, i.e. the
  140. + * way it looks when the table is insmod'ed
  141. +--
  142. +cgit v1.1
  143. +