---------- Forwarded message ---------- From: Pablo Neira Ayuso <[email protected]> Date: Thu, Aug 8, 2013 at 1:29 PM Subject: Re: [PATCH] iptables: iptables calls setsockopt incorrectly To: "Laurence J. Lane" <[email protected]> Cc: Netfilter Development Mailinglist <[email protected]>
Hi Laurence, On Thu, Aug 08, 2013 at 01:25:46PM -0400, Laurence J. Lane wrote: > https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1187177 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710997 > > > ---------- Forwarded message ---------- > From: LaMont Jones <[email protected]> > Date: Mon, Jun 3, 2013 at 6:07 PM > Subject: Bug#710997: iptables calls setsockopt incorrectly > To: [email protected] > > > Package: iptables > Version: 1.4.18-1 > Tags: patch > -- > > Since time immemorial, iptables has called setsockopt() and treated any > -1 return value as fatal. Any system call can return EAGAIN or > EINPROGRESS (depending on the origins of the API), and good coding > practice requires checking for that and retrying or otherwise handling > it. > > In the case of iptables, if multiple processes are calling iptables > concurrently, then it is likely that one of them will fail. I have seen > this with xen, as well as certain firewall configurations where the > firewall rules are added as triggered by interfaces being discovered and > configured. We have these two patch for to address this in mainstream: http://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8 http://git.netfilter.org/iptables/commit/?id=d7aeda5ed45ac7ca959f12180690caa371b5b14b Regards. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
