[v2] iptables: Set wait to true by default.

Message ID 20180423011428.8783-1-jack.ma@alliedtelesis.co.nz
State Under Review
Delegated to: Pablo Neira
Headers show
Series
  • [v2] iptables: Set wait to true by default.
Related show

Commit Message

Jack Ma April 23, 2018, 1:14 a.m.
This allow each iptables user to wait for the xtable_lock
for a maximum of 1 second by default. It's uncommon to not
wait for xtables_lock and exit immediately if the lock is
not available.

If latency-senstive applications require the wait interval
to be re-adjusted, users are still able to set wait_interval
back to zero or more precised value to fit in their application.

Signed-off-by: Jack Ma <jack.ma@alliedtelesis.co.nz>
---
 iptables/ip6tables-restore.c   | 3 ++-
 iptables/ip6tables.c           | 4 ++--
 iptables/iptables-restore.8.in | 6 +++---
 iptables/iptables-restore.c    | 3 ++-
 iptables/iptables.8.in         | 6 +++---
 iptables/iptables.c            | 4 ++--
 iptables/xtables.c             | 4 ++--
 7 files changed, 16 insertions(+), 14 deletions(-)

Patch

diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index 47310f20..cdd634f3 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -26,8 +26,9 @@ 
 #define DEBUGP(x, args...)
 #endif
 
-static int counters, verbose, noflush, wait;
+static int counters, verbose, noflush;
 
+static int wait = 1;
 static struct timeval wait_interval = {
 	.tv_sec	= 1,
 };
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 49bd006f..693de28a 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1338,11 +1338,11 @@  int do_command6(int argc, char *argv[], char **table,
 	struct in6_addr *smasks = NULL, *dmasks = NULL;
 
 	int verbose = 0;
-	int wait = 0;
+	int wait = 1;
 	struct timeval wait_interval = {
 		.tv_sec	= 1,
 	};
-	bool wait_interval_set = false;
+	bool wait_interval_set = true;
 	const char *chain = NULL;
 	const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL;
 	const char *policy = NULL, *newname = NULL;
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index f751492d..fb8dc970 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -62,9 +62,9 @@  Print the program version number.
 Wait for the xtables lock.
 To prevent multiple instances of the program from running concurrently,
 an attempt will be made to obtain an exclusive lock at launch.  By default,
-the program will exit if the lock cannot be obtained.  This option will
-make the program wait (indefinitely or for optional \fIseconds\fP) until
-the exclusive lock can be obtained.
+the program will wait for a maximum time of 1 second before exiting. 
+This option will make the program wait (indefinitely or for optional
+\fIseconds\fP) until the exclusive lock can be obtained.
 .TP
 \fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP
 Interval to wait per each iteration.
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 074552af..3cd168a1 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -23,8 +23,9 @@ 
 #define DEBUGP(x, args...)
 #endif
 
-static int counters, verbose, noflush, wait;
+static int counters, verbose, noflush;
 
+static int wait = 1;
 static struct timeval wait_interval = {
 	.tv_sec	= 1,
 };
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index a9c6b252..54fe33df 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -366,9 +366,9 @@  specified multiple times to possibly emit more detailed debug statements.
 Wait for the xtables lock.
 To prevent multiple instances of the program from running concurrently,
 an attempt will be made to obtain an exclusive lock at launch.  By default,
-the program will exit if the lock cannot be obtained.  This option will
-make the program wait (indefinitely or for optional \fIseconds\fP) until
-the exclusive lock can be obtained.
+the program will wait for a maximum time of 1 second before exiting.
+This option will make the program wait (indefinitely or for optional
+\fIseconds\fP) until the exclusive lock can be obtained.
 .TP
 \fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP
 Interval to wait per each iteration.
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 69d19fec..540d1d60 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1333,9 +1333,9 @@  int do_command4(int argc, char *argv[], char **table,
 	struct timeval wait_interval = {
 		.tv_sec = 1,
 	};
-	bool wait_interval_set = false;
+	bool wait_interval_set = true;
 	int verbose = 0;
-	int wait = 0;
+	int wait = 1;
 	const char *chain = NULL;
 	const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL;
 	const char *policy = NULL, *newname = NULL;
diff --git a/iptables/xtables.c b/iptables/xtables.c
index ac113254..653362fe 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -689,10 +689,10 @@  void do_parse(struct nft_handle *h, int argc, char *argv[],
 {
 	struct xtables_match *m;
 	struct xtables_rule_match *matchp;
-	bool wait_interval_set = false;
+	bool wait_interval_set = true;
 	struct timeval wait_interval;
 	struct xtables_target *t;
-	int wait = 0;
+	int wait = 1;
 
 	memset(cs, 0, sizeof(*cs));
 	cs->jumpto = "";