From patchwork Fri May 17 09:14:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Spooren X-Patchwork-Id: 1100904 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=aparcar.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="Gm+MaCXw"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4552hB39PJz9s9N for ; Fri, 17 May 2019 19:15:36 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:Message-Id:Date:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=Fcnd3ZwK6X0JqrNO/vlM4y1WkESfWoXEKNWESe+J6j0=; b=Gm+MaCXw2F/oZ6 XpNnA5fIs0y9pjjr5vbHY81YpOVKdeX5qvQ52JorxEpsQyTIdAXN8AroTWi6rstJebW5WZg6JMErT nwh7Zb+wnPJ2BFRZ4n3x1FcOnXsBQOicAS+UuMUJkDmU3eqoAtsnYgbO2fKJyuW+HvXkx3A/INsyh LU8eu9XWwJYPNqpiHoY6O+i0w+4VGY1M5ImZZsx6tZ7BWOA/RL/u0M0c/8eQMnx/r9tkJczZ+/ezW BJYpr4qM+gj01focK1E622MsMqCtzhkllF5R8T70//VFUQLkq/WDzv83fAWJEIf8W7rLuRyl78mdl zWe47MEZhUI4r5CD9QbA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1hRYxR-0004hx-1P; Fri, 17 May 2019 09:15:17 +0000 Received: from relay3-d.mail.gandi.net ([217.70.183.195]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1hRYxM-0004Ij-2h for openwrt-devel@lists.openwrt.org; Fri, 17 May 2019 09:15:15 +0000 X-Originating-IP: 95.90.180.177 Received: from dawn.lan (ip5f5ab4b1.dynamic.kabel-deutschland.de [95.90.180.177]) (Authenticated sender: mail@aparcar.org) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 9B55960009; Fri, 17 May 2019 09:14:58 +0000 (UTC) From: Paul Spooren To: openwrt-devel@lists.openwrt.org Date: Fri, 17 May 2019 11:14:45 +0200 Message-Id: <20190517091446.11260-1-mail@aparcar.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190517_021512_273545_A6F34D5E X-CRM114-Status: GOOD ( 10.04 ) X-Spam-Score: -0.7 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [217.70.183.195 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [217.70.183.195 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record Subject: [OpenWrt-Devel] [PATCH 1/2] utils: implement fw3_lock_path() & fw3_unlock_path() X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Couzens Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Alexander Couzens To lock a second lock file at the same time, introduce fw3_{un,}lock_path. fw3_lock_path support the path as parameter in difference to fw3_lock which only locks the fw3 lock file (/var/run/fw3.lock) Signed-off-by: Alexander Couzens --- utils.c | 34 +++++++++++++++++++++++++--------- utils.h | 2 ++ 2 files changed, 27 insertions(+), 9 deletions(-) diff --git a/utils.c b/utils.c index 7f09787..6360279 100644 --- a/utils.c +++ b/utils.c @@ -28,7 +28,7 @@ #include "ipsets.h" -static int lock_fd = -1; +static int fw3_lock_fd = -1; static pid_t pipe_pid = -1; static FILE *pipe_fd = NULL; @@ -346,13 +346,13 @@ fw3_has_table(bool ipv6, const char *table) bool -fw3_lock(void) +fw3_lock_path(int *fd, const char *path) { - lock_fd = open(FW3_LOCKFILE, O_CREAT|O_WRONLY, S_IRUSR|S_IWUSR); + int lock_fd = open(path, O_CREAT|O_WRONLY, S_IRUSR|S_IWUSR); if (lock_fd < 0) { - warn("Cannot create lock file %s: %s", FW3_LOCKFILE, strerror(errno)); + warn("Cannot create lock file %s: %s", path, strerror(errno)); return false; } @@ -362,22 +362,38 @@ fw3_lock(void) return false; } + *fd = lock_fd; + return true; } +bool +fw3_lock() +{ + return fw3_lock_path(&fw3_lock_fd, FW3_LOCKFILE); +} + + void -fw3_unlock(void) +fw3_unlock_path(int *fd, const char *lockpath) { - if (lock_fd < 0) + if (*fd < 0) return; - if (flock(lock_fd, LOCK_UN)) + if (flock(*fd, LOCK_UN)) warn("Cannot release exclusive lock: %s", strerror(errno)); - close(lock_fd); + close(*fd); unlink(FW3_LOCKFILE); - lock_fd = -1; + *fd = -1; +} + + +void +fw3_unlock(void) +{ + fw3_unlock_path(&fw3_lock_fd, FW3_LOCKFILE); } diff --git a/utils.h b/utils.h index 1ada0dd..2388072 100644 --- a/utils.h +++ b/utils.h @@ -102,6 +102,8 @@ bool fw3_has_table(bool ipv6, const char *table); bool fw3_lock(void); void fw3_unlock(void); +bool fw3_lock_path(int *fw3_lock_fd, const char *path); +void fw3_unlock_path(int *fw3_lock_fd, const char *path); void fw3_write_statefile(void *state); From patchwork Fri May 17 09:14:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Spooren X-Patchwork-Id: 1100903 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=aparcar.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="TxSpEUwX"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4552hB2grNz9s55 for ; Fri, 17 May 2019 19:15:37 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:References: In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Fc33LCHG0mBE4UAECyzqwoCc0f6hQy3i8NXK3ayRnQo=; b=TxSpEUwX4UcJ8K KVzBFwS6ETGmRZRu1Mx+Y/Ecc1met1jiNtqJ2syh1AS15Fb+CEef7WQVfVCTR9rUfJbljU2qyYGTX 4vb7mYoxwxFYCxi/bfRGDX0G9l400buJdwU9zvSX3TKyVZYwfZyOV/07Xj61K/g+ULVelUYT5FZdR 8kcUvnM85TA3GVgRIfGdRkLKjugS7ocqiip1r15YkoW+HYE3JzdCMuO75Ql3LpuKBbWq4DMWbc/XR GsmMBM87bTxspdJcVEUN6RLA8pJU2scaAZ5Sgo4k+KX/Kk7Rbtt1+k6/Ltz7tFUA1PNvLLjyLN7zU JmLqUrvKFWOkMCtZfsqg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1hRYxZ-0004su-Tw; Fri, 17 May 2019 09:15:25 +0000 Received: from relay3-d.mail.gandi.net ([217.70.183.195]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1hRYxS-0004Ne-I2 for openwrt-devel@lists.openwrt.org; Fri, 17 May 2019 09:15:21 +0000 X-Originating-IP: 95.90.180.177 Received: from dawn.lan (ip5f5ab4b1.dynamic.kabel-deutschland.de [95.90.180.177]) (Authenticated sender: mail@aparcar.org) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id DB8C76000C; Fri, 17 May 2019 09:15:01 +0000 (UTC) From: Paul Spooren To: openwrt-devel@lists.openwrt.org Date: Fri, 17 May 2019 11:14:46 +0200 Message-Id: <20190517091446.11260-2-mail@aparcar.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190517091446.11260-1-mail@aparcar.org> References: <20190517091446.11260-1-mail@aparcar.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190517_021518_825405_636CD439 X-CRM114-Status: GOOD ( 10.01 ) X-Spam-Score: -0.7 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [217.70.183.195 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [217.70.183.195 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record Subject: [OpenWrt-Devel] [PATCH 2/2] iptables.c: lock the xtables.lock X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Couzens , Paul Spooren Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Alexander Couzens When using fw3 together with other applications or scripts a race conditions might occur. When fw3 is preparing the new tables, another application can use the executable `iptables` which modifies the kernel-tables. libxtables will notify this and fails when fw3 is committing the changes resulting in a failed firewall. Now waits in a while loop until the lock is gone, activate the lock itself and applies changes. To reproduce the bug the following two scripts should run in parrallel, after a few seconds the latter stop and leaves a broken firewall: while true; do iptables -N locking; done and while [ "$(iptables -w -L OUTPUT | wc -l)" -gt 2 ]; do fw3 reload; done The following message will appear Warning: iptc_commit(): Resource temporarily unavailable and connectivity is gone. Tested in an LXC and Qemu container. Signed-off-by: Alexander Couzens [fixed waiting for unlock and commit message] Signed-off-by: Paul Spooren --- iptables.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/iptables.c b/iptables.c index a095621..559fe7d 100644 --- a/iptables.c +++ b/iptables.c @@ -55,6 +55,8 @@ #include "iptables.h" +#define XT_LOCK_NAME "/var/run/xtables.lock" +static int xt_lock_fd = -1; struct fw3_ipt_rule { struct fw3_ipt_handle *h; @@ -168,6 +170,11 @@ fw3_ipt_open(enum fw3_family family, enum fw3_table table) xtables_init(); + while (!fw3_lock_path(&xt_lock_fd, XT_LOCK_NAME)) { + warn("Currently busy xtables.lock - wait 1 second"); + sleep(1); + } + if (family == FW3_FAMILY_V6) { #ifndef DISABLE_IPV6 @@ -192,6 +199,7 @@ fw3_ipt_open(enum fw3_family family, enum fw3_table table) if (!h->handle) { free(h); + fw3_unlock_path(&xt_lock_fd, XT_LOCK_NAME); return NULL; } @@ -561,6 +569,7 @@ fw3_ipt_commit(struct fw3_ipt_handle *h) void fw3_ipt_close(struct fw3_ipt_handle *h) { + fw3_unlock_path(&xt_lock_fd, XT_LOCK_NAME); free(h); }