iptables calls setsockopt(2) incorrectly, fails when it should not
Bug #1187177 reported by
LaMont Jones
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables (Debian) |
Fix Released
|
Unknown
|
|||
iptables (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Precise |
Won't Fix
|
Undecided
|
Unassigned | ||
Quantal |
Won't Fix
|
Undecided
|
Unassigned | ||
Raring |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Since time immemorial, iptables has called setsockopt() and treated any
-1 return value as fatal. Any system call can return EAGAIN or
EINPROGRESS (depending on the origins of the API), and good coding
practice requires checking for that and retrying or otherwise handling
it.
In the case of iptables, if multiple processes are calling iptables
concurrently, then it is likely that one of them will fail. I have seen
this with xen, as well as certain firewall configurations where the
firewall rules are added as triggered by interfaces being discovered and
configured.
The attached patch fixes the issue.
lamont
Related branches
lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177
- Ubuntu Sponsors: Pending requested
- Daniel Holbach: Pending requested
- Artur Rona: Pending requested
-
Diff: 533 lines (+463/-2)9 files modifieddebian/changelog (+30/-0)
debian/control (+1/-0)
debian/iptables-dev.install (+1/-0)
debian/iptables.install (+2/-0)
debian/iptables.manpages (+1/-2)
debian/nfnl_osf.8 (+80/-0)
debian/patches/0201-iptables-xml_man_section.patch (+8/-0)
debian/patches/calling-setsockopt-incorrectly.patch (+338/-0)
debian/patches/series (+2/-0)
tags: | added: patch |
Changed in iptables (Debian): | |
status: | Unknown → New |
Changed in iptables (Ubuntu Lucid): | |
status: | New → Triaged |
Changed in iptables (Ubuntu Precise): | |
status: | New → Triaged |
Changed in iptables (Ubuntu Quantal): | |
status: | New → Triaged |
Changed in iptables (Ubuntu Raring): | |
status: | New → Triaged |
Changed in iptables (Ubuntu): | |
status: | New → Triaged |
Changed in iptables (Debian): | |
status: | New → Fix Released |
To post a comment you must log in.
@lamont
I would consider posting this patch to the upstream iptables project so they can review this patch. If it get accepted into upstream, it would be useful to then backport to affected series.