ufw

Support iptables wait

Bug #1652163 reported by Christopher M Luciano
22
This bug affects 5 people
Affects Status Importance Assigned to Milestone
ufw
Fix Released
Low
Jamie Strandboge

Bug Description

[This patch](https://www.spinics.net/lists/netfilter-devel/msg31867.html) references the addition of the -w flag that waits indefinitely for the xtables lock to be released. [Another patch](https://patchwork.ozlabs.org/patch/635676/) added the ability to add an interval to wait.
I would like to submit a patch to immplement the basics of adding the -w.

The iptables man page suggests that arguments are passed at the end of the command set. I was hoping to add logic to expect the wait command at the end of the argv list within and return wait = True when found. If wait = True, --wait would be appended to the cmd set around line 1154 in backend_iptables.py.

Open questions:
- Is there an ideal position for the wait string?
  - Trying to think ahead in case more iptables options are requested in the future
  - parser.py seems to want comments at the end in class UFWCommandRule
- Do patches that enable concurrent updates using ufw trump a -w patch?
  - Ex https://bugs.launchpad.net/debian/+source/ufw/+bug/1204579

Tags: dev
Revision history for this message
Christopher M Luciano (cmluciano) wrote :

Anyone have additional feedback on this?

Revision history for this message
Luke (lukepolo) wrote :

This would be a huge time saver, currently switched over to iptables while this fix is not in the current release

Revision history for this message
Christian (bolek2000) wrote :

I also would like to see that implemented...also to pass additional options to iptables via ufw would be great to circumvent similar problems when ufw is not up to date with newer iptables options.
I use the ufw Ansible module and at the moment I get an error if it happens, that a playbook runs on 2 hosts that delegate a firewall change in parallel to another host. I can only run the playbook against one host at a time.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The upcoming ufw 0.36 is going to support concurrent updates, though not with iptables wait.

Changed in ufw:
status: New → Fix Committed
Jamie Strandboge (jdstrand)
Changed in ufw:
importance: Undecided → Low
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is fixed in the new 0.36 release.

Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Proposed package upload rejected

An upload of ufw to cosmic-proposed has been rejected from the upload queue for the following reason: "All bugs mentioned in the .changes file (so therefore also in the new debian/changelog entries) need to comply with SRU standards (test-case, regression potential). Please re-upload after filling out the required info or modify changelog to exclude irrelevant bug numbers.".

Revision history for this message
Ludovico Cavedon (cavedon) wrote :

I am still having xtables lock failures in ufw 0.36-0ubuntu0.18.04.1, when another process (e.g. docker) is concurrently invoking iptables.
It looks like 0.36 is implementing its own internal lock, but not supporting the iptables wait mechanism (as per title of this bug), so I would like to reopen this bug.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.