iptables calls setsockopt(2) incorrectly, fails when it should not

Bug #1187177 reported by LaMont Jones
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iptables (Debian)
Fix Released
Unknown
iptables (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
Precise
Won't Fix
Undecided
Unassigned
Quantal
Won't Fix
Undecided
Unassigned
Raring
Won't Fix
Undecided
Unassigned

Bug Description

Since time immemorial, iptables has called setsockopt() and treated any
-1 return value as fatal. Any system call can return EAGAIN or
EINPROGRESS (depending on the origins of the API), and good coding
practice requires checking for that and retrying or otherwise handling
it.

In the case of iptables, if multiple processes are calling iptables
concurrently, then it is likely that one of them will fail. I have seen
this with xen, as well as certain firewall configurations where the
firewall rules are added as triggered by interfaces being discovered and
configured.

The attached patch fixes the issue.
lamont

Tags: patch

Related branches

Revision history for this message
LaMont Jones (lamont) wrote :
tags: added: patch
Changed in iptables (Debian):
status: Unknown → New
Revision history for this message
Chris J Arges (arges) wrote :

@lamont
I would consider posting this patch to the upstream iptables project so they can review this patch. If it get accepted into upstream, it would be useful to then backport to affected series.

Changed in iptables (Ubuntu Lucid):
status: New → Triaged
Changed in iptables (Ubuntu Precise):
status: New → Triaged
Changed in iptables (Ubuntu Quantal):
status: New → Triaged
Changed in iptables (Ubuntu Raring):
status: New → Triaged
Changed in iptables (Ubuntu):
status: New → Triaged
Changed in iptables (Debian):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package iptables - 1.4.18-1.1ubuntu1

---------------
iptables (1.4.18-1.1ubuntu1) saucy; urgency=low

  * Merge changes from Debian, version 1.4.18-1.1 to fix FTBFS
    in package perlipq due to missing dependecy: (LP: #1228525)
    - debian/control
    - debian/iptables-dev.install
  * Fix unresolved @PACKAGE_VERSION@ in manpage. Cherry-pick from
    Debian, version 1.4.20-2: (LP: #1134554)
    - debian/iptables.install
    - debian/iptables.manpages
    - debian/nfnl_osf.8
    - 0201-iptables-xml_man_section.patch
  * Fix incorrectly calling setsockopt, cherry-pick: (LP: #1187177)
    - debian/patches/calling-setsockopt-incorrectly.patch

iptables (1.4.18-1.1) unstable; urgency=low

  [ gregor herrmann ]
  * Fix "libipq.h includes non-existing linux/netfilter_ipv4/ip_queue.h":
    ship /usr/include/linux/netfilter_ipv4/ip_queue.h in iptables-dev;
    add Breaks on linux-libc-dev << 3.5
    (Closes: #707535)

  [ Dominic Hargreaves ]
  * Non-maintainer upload
 -- Artur Rona <email address hidden> Fri, 20 Sep 2013 00:26:08 +0200

Changed in iptables (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in iptables (Ubuntu Quantal):
status: Triaged → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

raring has seen the end of its life and is no longer receiving any updates. Marking the raring task for this ticket as "Won't Fix".

Changed in iptables (Ubuntu Raring):
status: Triaged → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in iptables (Ubuntu Lucid):
status: Triaged → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in iptables (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.