From patchwork Thu Dec 23 15:32:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jethro Beekman X-Patchwork-Id: 1572777 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=fortanix.com header.i=@fortanix.com header.a=rsa-sha256 header.s=selector1 header.b=JcO+DfNR; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by bilbo.ozlabs.org (Postfix) with ESMTP id 4JKZ2g5THPz9s0r for ; Fri, 24 Dec 2021 02:32:59 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349003AbhLWPc5 (ORCPT ); Thu, 23 Dec 2021 10:32:57 -0500 Received: from mail-dm6nam10on2131.outbound.protection.outlook.com ([40.107.93.131]:30177 "EHLO NAM10-DM6-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1348994AbhLWPc5 (ORCPT ); Thu, 23 Dec 2021 10:32:57 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=akA0ZgM7wbVF4wen2K5ZeFTXv1gE9HFShIwikJWOxX5mV030NEP46NvmKqmkHJQpvtaPAGKHbiI2IQQUoQqUcQjpSjqWgNNSaHyvfeGrN5VRMknrO7140y+9JrjAGDQ8RPAI1j76qHe5VPjBps/yU8/R9FVdbOa1QzSBpGTzwyk0tbyVsPhSFxo+cM0SzMmtQ/Iso/MDznrLqN+b7603BcQEB7U67SBI4GObyaavC1CUmK4fQ/yb7mGc8zjR5D8T2ltxqojpfaJLUNZ07N4RTzxUoI6wIPjUds/RhQBFetEAx9YEu8DueeslBxBp6VH4xrj+eRLhBczggJycRFPgsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0F3o6mxGPFD6imu3Yni3HPnPHm+zklypCALKBWAAlHY=; b=QPzD0cawJHcuZC4/vek+Xc1N8W4fkt/JwfcPr3BcM0ZhnQ7oPLocjCfZntH6/tEzN97Clqsnz0FcvDef6TsExLqvtCMzUhQ7VtThf46ioyNEY+lO7YhOyMO3YmnLLgCWVPEcRLqA2rG4uDqcCBdV9MymYNhZaAq1IzqJzLMYUlGMtR52i6lDYfBMRJS4Pmp9OqkbnpqHGPokXLWk9XyEP+fC9TKkmdLCvhrgjGa/M6ESOgZQhJhOF9FZ4EU59no5FH/WTiVpRz6+VABhfYVoaR3RvmRr4JykNzOEIKloL9EhO0htJ4wkLAbZ+z+dEtTit0WY+kaZ1VAh121jqFUXMQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fortanix.com; dmarc=pass action=none header.from=fortanix.com; dkim=pass header.d=fortanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fortanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0F3o6mxGPFD6imu3Yni3HPnPHm+zklypCALKBWAAlHY=; b=JcO+DfNR1DfIUuLCeupK6mPF6/mU21gTnqdPFVQvqnEoRhGWepjo6F2sgBowR4jqlx/j/auh8MNo8CAfXsXa8w7C5OjBcnmT32rK1N7lghHu7yatN4Q84sDCCkHnYdkUo5X1sJm3cqcG3hOEJVvXk2uyfJq/bmW/mkfOOtASfU4= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=fortanix.com; Received: from PH0PR11MB5626.namprd11.prod.outlook.com (2603:10b6:510:ee::15) by PH0PR11MB5594.namprd11.prod.outlook.com (2603:10b6:510:e4::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4823.18; Thu, 23 Dec 2021 15:32:54 +0000 Received: from PH0PR11MB5626.namprd11.prod.outlook.com ([fe80::d179:d7b6:81dc:71fe]) by PH0PR11MB5626.namprd11.prod.outlook.com ([fe80::d179:d7b6:81dc:71fe%6]) with mapi id 15.20.4823.019; Thu, 23 Dec 2021 15:32:53 +0000 From: Jethro Beekman Subject: [PATCH iptables] xshared: Implement xtables lock timeout using signals To: netfilter-devel@vger.kernel.org Message-ID: <256b8216-77db-cc28-4099-30c7dafb986e@fortanix.com> Date: Thu, 23 Dec 2021 16:32:44 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 Content-Language: en-US X-ClientProxiedBy: AM3PR05CA0085.eurprd05.prod.outlook.com (2603:10a6:207:1::11) To PH0PR11MB5626.namprd11.prod.outlook.com (2603:10b6:510:ee::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: af45aa89-bd6a-494a-a6fb-08d9c6297c97 X-MS-TrafficTypeDiagnostic: PH0PR11MB5594:EE_ X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1388; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: R54nZJj/VCc/jnlCHPelTlC1JmGOWXeZkSbDHvN+WeVvMvVrUfTh7XmwfwGF4kA/kY3BSXC0nr9bedc6pMmhJUzCgtTlwht2ilWJgdh1FZsIGZ/DNwphYLcv8ZsFKKmOoljv+jkbsdyIRbN3vNESvJuwf4P/3G19+37/u2cy5x5mWP+oknnEevrMOTStc/I1YxOIj0du90XOgUXWm212rufrFC/2pt1hfSgM9pCdrQaocZBeEuOwZlRTCFWsb3h7CP0VM8qnUvzEDgxcHSk+o8bhbWWIKe+LGqBvMWz9JWUsvgjoH7NCf1oVPxFlZ8vs9oYtmBOV8ppJkzdWDlRRJM9/6qGlKIWupzFj9BRcMnBpQnVTwWPEqKkDRohZXgE/Il8caxGm9hvqehuHV1xa5gie2+NzlUFvLeWBo/NgzrqtqRMbz08JzJANz+t9LIDcsIq10vAzcFgxuJ+R+kOp2ffpO/6/Km7PH2zkTGZPmnIfJMRYXpLd9j/ikQCzdHBk18q9iKhhMaZFHZ0UNVfw1ZPZJp8mLTapVhmV1pHBS8L+wRpiO2XJXJY4oSAQ5ak12W4vImAihW7V3mwvduXf0A0yvoWND8G//ZnSJ5fLsTKgRWM+QVpc6r8UwG3d5vJaPzL7c5XIhLFBFimyiw9ojkCHCOboETnIMwJCvr0XHn5eGy1ZLmRJDT5XFrzhsrIr8CWgkyCFS/riXmeqNGJCBwHVzKiSbDYHHA3npjjLTdBNzS6ZdxLwAanfODVb3iiJznLerpsQGpvp6KQsDSSJmw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5626.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(396003)(39840400004)(376002)(346002)(366004)(136003)(31686004)(5660300002)(2616005)(86362001)(6666004)(6512007)(66476007)(66556008)(38100700002)(38350700002)(66946007)(36756003)(30864003)(83380400001)(186003)(31696002)(26005)(6916009)(508600001)(8676002)(6506007)(2906002)(6486002)(52116002)(8936002)(316002)(43740500002)(45980500001);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?XtelAwB7IMNjynSJLk45aE6uM0F+?= =?utf-8?q?ERcHO+KTFYQK3GbnTv94L2qo7yweS6NqUPYwdlZtANl9KhEWQLgA2tFySvHd8ShBQ?= =?utf-8?q?McKteW6USPsbYQGx57xu5CquFLlqa7qtJf+FMr5KWkWax4KV+uGbrNHKBnnDk4GqV?= =?utf-8?q?RsrrUsUBJ70Z6g160+vzAVxEeSLSCgXrEcRMKzkSbs2G4i6TPIhibOvn6Xi536R6K?= =?utf-8?q?0k09B4zpa1jyuYRpauB0OWkU+k8ETWt3yVMGEp9YP6ZjQ/s+1B7PLJ6jfEzKExx0L?= =?utf-8?q?n4u368oDGIJ76uuvUgH7bPZaMh8qKmTaa4truxvpoLsXLY+ek3TApyIv864MB+Swi?= =?utf-8?q?rhKDdUk3h9A91/A+bau1o68Ckud2AtEABRRXyqykhRsgrDjBYXzKu8cdOiayg8Bht?= =?utf-8?q?pP9lBO5N+LwWTlew8jzxb6kYoEvDT6ZiU2d/y4q4nhVgc2YecCJsEc0kj/HAr74GE?= =?utf-8?q?njmvIcaqGoVB1cDvVJ9rKVtqX7FkZMH633cLcfRdzdxjWLSB0UGSMHdH2cMZtFyn5?= =?utf-8?q?PgrVSSh67ePZexWrlebx09tP0tWYES9yxAvBWBZ+YZQco27ct8lETWHE4QKTSkRmi?= =?utf-8?q?fsL08jIGlrcMiBwCVyC+s+gF8nNH1TpcgTppcAJoMtwwWL4TmbjswlQT4Zxu5obex?= =?utf-8?q?QXeenvqDMqFeluG7+SlXeRUO/JbTiSXDFGxlberJQGO9gVgXaSn18FO/Bmf2Eb/zE?= =?utf-8?q?LtTe4HOP0Vmni4v4/o4yJtA92a0dbKCyw4bQyngs4iUtInq0EneY4cjR1uL82P5e7?= =?utf-8?q?lKMvKds2avld8J5MqHmjb3upHroxvlK1+ptIxm3FKk/Cnw5DstdXIuNtXa2rUqD8v?= =?utf-8?q?J5taPWhJvYxJdvtISeCS2iAiBemWd7LXvyLoVsLKDZSyiP4t89olDCv/M/U3w2cic?= =?utf-8?q?00Rn7vpuVkWEr80HJY7BdErlz7zDKkzry7STF7XxN1SwICBUQ76fxpnEzpd/kGn1/?= =?utf-8?q?SKl84DmIDMknsDndHmycoZfiSNj7WE+3HGLYCrQqq81+8K/3gi8nuXuP/CkuDOBto?= =?utf-8?q?iuNiFCRnH8PGDBo8cpnlu+ztLK5ZMMr4q7pEWskYd3wOEAsbr5utTdRORiBUXjjfm?= =?utf-8?q?xRfMl2tqZ+HA9zhgqG6IsNdr/EeJkWEEdHTHwJTgk2B4pMZyQI+oaP5nvwF9sNgQg?= =?utf-8?q?14K94wAjG7KZne2DdJ1Qzki7vw1xzavo0XI9Rpi75zgNBADrinbwAExp0+rDwSWFd?= =?utf-8?q?VYAy8gw3v5jF0Kfu0cWkm5X2+66dBS2OCFC02Dxz+Z8h/h6IB7h+wbnmS28tV2twv?= =?utf-8?q?8g8IovMJuliNXxJGwj8OFyh4JIxqQrNSArE8WFszZ0/kKe3lWi/I1wqxu4terMr6b?= =?utf-8?q?6OoJ93nhugij8176HUTjiSR4RvaGIsXDVVrtNTuq45ietCvJ6W+/9ZngZ1zeVZcmw?= =?utf-8?q?qypw+2Yvpyzigo9Dp/Mgsp8sQr7GAj1bnSDeAag9crj+zwE1po4yIb346fddSl7ob?= =?utf-8?q?IEuZ25QN0NSShj0UTXnBJvtYS7G7nvHphQTB/O6WKNDGsfM0Lnj6iIElUg8E0HUzJ?= =?utf-8?q?S8D30FGXZXz2dSq5nePaSW6JFzK328gMXM8ch+9lKHzxTNp/HcsFtFE=3D?= X-OriginatorOrg: fortanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: af45aa89-bd6a-494a-a6fb-08d9c6297c97 X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5626.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Dec 2021 15:32:53.7782 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: de7becae-4883-43e8-82c7-7dbdbb988ae6 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Z8v49Bb3sPbth4PjVZeERkKX30NJFMClLLuyaqGqNkSjwE1D0QH9ruZATayydARHvBwe3xSvMT3dv3H8ADSaOg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5594 Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Previously, if a lock timeout is specified using `-w`, flock() is called using LOCK_NB in a loop with a sleep. This results in two issues. The first issue is that the process may wait longer than necessary when the lock becomes available. For this the `-W` option was added, but this requires fine-tuning. The second issue is that if lock contention is high, invocations using `-w` without a timeout will always win lock acquisition from invocations that use `-w` *with* a timeout. This is because invocations using `-w` are actively waiting on the lock whereas the others only check from time to time whether the lock is free, which will never be the case. This patch removes the `-W` option and the sleep loop. Instead, flock() is always called in a blocking fashion, but the alarm() function is used with a non-SA_RESTART signal handler to cancel the system call. Signed-off-by: Jethro Beekman --- iptables/ip6tables.c | 7 +-- iptables/iptables-restore.8.in | 7 --- iptables/iptables-restore.c | 13 ++-- iptables/iptables.8.in | 7 --- iptables/iptables.c | 7 +-- .../testcases/ipt-restore/0002-parameters_0 | 3 +- iptables/xshared.c | 61 ++++++++----------- iptables/xshared.h | 5 +- 8 files changed, 37 insertions(+), 73 deletions(-) diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index b4604f83..46059785 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -725,9 +725,6 @@ int do_command6(int argc, char *argv[], char **table, int verbose = 0; int wait = 0; - struct timeval wait_interval = { - .tv_sec = 1, - }; bool wait_interval_set = false; const char *chain = NULL; const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; @@ -994,7 +991,7 @@ int do_command6(int argc, char *argv[], char **table, "You cannot use `-W' from " "ip6tables-restore"); } - parse_wait_interval(argc, argv, &wait_interval); + parse_wait_interval(argc, argv); wait_interval_set = true; break; @@ -1162,7 +1159,7 @@ int do_command6(int argc, char *argv[], char **table, /* Attempt to acquire the xtables lock */ if (!restore) - xtables_lock_or_exit(wait, &wait_interval); + xtables_lock_or_exit(wait); /* only allocate handle if we weren't called with a handle */ if (!*handle) diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in index b4b62f92..e6144c75 100644 --- a/iptables/iptables-restore.8.in +++ b/iptables/iptables-restore.8.in @@ -66,13 +66,6 @@ the program will exit if the lock cannot be obtained. This option will make the program wait (indefinitely or for optional \fIseconds\fP) until the exclusive lock can be obtained. .TP -\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP -Interval to wait per each iteration. -When running latency sensitive applications, waiting for the xtables lock -for extended durations may not be acceptable. This option will make each -iteration take the amount of time specified. The default interval is -1 second. This option only works with \fB\-w\fP. -.TP \fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP Specify the path to the modprobe program. By default, iptables-restore will inspect /proc/sys/kernel/modprobe to determine the executable's path. diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c index a3efb067..5b238d3e 100644 --- a/iptables/iptables-restore.c +++ b/iptables/iptables-restore.c @@ -22,10 +22,6 @@ static int counters, verbose, noflush, wait; -static struct timeval wait_interval = { - .tv_sec = 1, -}; - /* Keeping track of external matches and targets. */ static const struct option options[] = { {.name = "counters", .has_arg = 0, .val = 'c'}, @@ -51,7 +47,6 @@ static void print_usage(const char *name, const char *version) " [ --help ]\n" " [ --noflush ]\n" " [ --wait=\n" - " [ --wait-interval=\n" " [ --table= ]\n" " [ --modprobe= ]\n", name); } @@ -101,6 +96,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, FILE *in; int in_table = 0, testing = 0; const char *tablename = NULL; + bool wait_interval_set = false; line = 0; lock = XT_LOCK_NOT_ACQUIRED; @@ -135,7 +131,8 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, wait = parse_wait_time(argc, argv); break; case 'W': - parse_wait_interval(argc, argv, &wait_interval); + parse_wait_interval(argc, argv); + wait_interval_set = true; break; case 'M': xtables_modprobe_program = optarg; @@ -165,7 +162,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, } else in = stdin; - if (!wait_interval.tv_sec && !wait) { + if (wait_interval_set && !wait) { fprintf(stderr, "Option --wait-interval requires option --wait\n"); exit(1); } @@ -203,7 +200,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, in_table = 0; } else if ((buffer[0] == '*') && (!in_table)) { /* Acquire a lock before we create a new table handle */ - lock = xtables_lock_or_exit(wait, &wait_interval); + lock = xtables_lock_or_exit(wait); /* New table */ char *table; diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in index 759ec54f..99252884 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -373,13 +373,6 @@ the program will exit if the lock cannot be obtained. This option will make the program wait (indefinitely or for optional \fIseconds\fP) until the exclusive lock can be obtained. .TP -\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP -Interval to wait per each iteration. -When running latency sensitive applications, waiting for the xtables lock -for extended durations may not be acceptable. This option will make each -iteration take the amount of time specified. The default interval is -1 second. This option only works with \fB\-w\fP. -.TP \fB\-n\fP, \fB\-\-numeric\fP Numeric output. IP addresses and port numbers will be printed in numeric format. diff --git a/iptables/iptables.c b/iptables/iptables.c index 7dc4cbc1..ab0a417a 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -707,9 +707,6 @@ int do_command4(int argc, char *argv[], char **table, unsigned int nsaddrs = 0, ndaddrs = 0; struct in_addr *saddrs = NULL, *smasks = NULL; struct in_addr *daddrs = NULL, *dmasks = NULL; - struct timeval wait_interval = { - .tv_sec = 1, - }; bool wait_interval_set = false; int verbose = 0; int wait = 0; @@ -975,7 +972,7 @@ int do_command4(int argc, char *argv[], char **table, "You cannot use `-W' from " "iptables-restore"); } - parse_wait_interval(argc, argv, &wait_interval); + parse_wait_interval(argc, argv); wait_interval_set = true; break; @@ -1140,7 +1137,7 @@ int do_command4(int argc, char *argv[], char **table, /* Attempt to acquire the xtables lock */ if (!restore) - xtables_lock_or_exit(wait, &wait_interval); + xtables_lock_or_exit(wait); /* only allocate handle if we weren't called with a handle */ if (!*handle) diff --git a/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 b/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 index 5c8748ec..d632cbc0 100755 --- a/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 +++ b/iptables/tests/shell/testcases/ipt-restore/0002-parameters_0 @@ -2,7 +2,7 @@ set -e -# make sure wait and wait-interval options are accepted +# make sure wait options are accepted clean_tempfile() { @@ -18,4 +18,3 @@ tmpfile=$(mktemp) || exit 1 $XT_MULTI iptables-save -f $tmpfile $XT_MULTI iptables-restore $tmpfile $XT_MULTI iptables-restore -w 5 $tmpfile -$XT_MULTI iptables-restore -w 5 -W 1 $tmpfile diff --git a/iptables/xshared.c b/iptables/xshared.c index efee7a30..c727a301 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -13,11 +13,11 @@ #include #include #include -#include #include #include #include #include +#include #include "xshared.h" /* @@ -243,14 +243,14 @@ void xs_init_match(struct xtables_match *match) match->init(match->m); } -static int xtables_lock(int wait, struct timeval *wait_interval) +static void alarm_ignore(int i) { +} + +static int xtables_lock(int wait) { - struct timeval time_left, wait_time; + struct sigaction sigact_alarm; const char *lock_file; - int fd, i = 0; - - time_left.tv_sec = wait; - time_left.tv_usec = 0; + int fd; lock_file = getenv("XTABLES_LOCKFILE"); if (lock_file == NULL || lock_file[0] == '\0') @@ -263,31 +263,24 @@ static int xtables_lock(int wait, struct timeval *wait_interval) return XT_LOCK_FAILED; } - if (wait == -1) { - if (flock(fd, LOCK_EX) == 0) - return fd; - - fprintf(stderr, "Can't lock %s: %s\n", lock_file, - strerror(errno)); - return XT_LOCK_BUSY; + if (wait != -1) { + sigact_alarm.sa_handler = alarm_ignore; + sigact_alarm.sa_flags = SA_RESETHAND; + sigemptyset(&sigact_alarm.sa_mask); + sigaction(SIGALRM, &sigact_alarm, NULL); + alarm(wait); } - while (1) { - if (flock(fd, LOCK_EX | LOCK_NB) == 0) - return fd; - else if (timercmp(&time_left, wait_interval, <)) - return XT_LOCK_BUSY; + if (flock(fd, LOCK_EX) == 0) + return fd; - if (++i % 10 == 0) { - fprintf(stderr, "Another app is currently holding the xtables lock; " - "still %lds %ldus time ahead to have a chance to grab the lock...\n", - time_left.tv_sec, time_left.tv_usec); - } - - wait_time = *wait_interval; - select(0, NULL, NULL, NULL, &wait_time); - timersub(&time_left, wait_interval, &time_left); + if (errno == EINTR) { + errno = EWOULDBLOCK; } + + fprintf(stderr, "Can't lock %s: %s\n", lock_file, + strerror(errno)); + return XT_LOCK_BUSY; } void xtables_unlock(int lock) @@ -296,9 +289,9 @@ void xtables_unlock(int lock) close(lock); } -int xtables_lock_or_exit(int wait, struct timeval *wait_interval) +int xtables_lock_or_exit(int wait) { - int lock = xtables_lock(wait, wait_interval); + int lock = xtables_lock(wait); if (lock == XT_LOCK_FAILED) { xtables_free_opts(1); @@ -334,7 +327,7 @@ int parse_wait_time(int argc, char *argv[]) return wait; } -void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval) +void parse_wait_interval(int argc, char *argv[]) { const char *arg; unsigned int usec; @@ -354,8 +347,7 @@ void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval) "too long usec wait %u > 999999 usec", usec); - wait_interval->tv_sec = 0; - wait_interval->tv_usec = usec; + fprintf(stderr, "Ignoring deprecated --wait-interval option.\n"); return; } xtables_error(PARAMETER_PROBLEM, "wait interval not numeric"); @@ -1235,9 +1227,6 @@ xtables_printhelp(const struct xtables_rule_match *matches) " --table -t table table to manipulate (default: `filter')\n" " --verbose -v verbose mode\n" " --wait -w [seconds] maximum wait to acquire xtables lock before give up\n" -" --wait-interval -W [usecs] wait time to try to acquire xtables lock\n" -" interval to wait for xtables lock\n" -" default is 1 second\n" " --line-numbers print line numbers when listing\n" " --exact -x expand numbers (display exact values)\n"); diff --git a/iptables/xshared.h b/iptables/xshared.h index 2c05b0d7..a524622e 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -6,7 +6,6 @@ #include #include #include -#include #include #include #include @@ -189,10 +188,10 @@ enum { XT_LOCK_NOT_ACQUIRED = -3, }; extern void xtables_unlock(int lock); -extern int xtables_lock_or_exit(int wait, struct timeval *tv); +extern int xtables_lock_or_exit(int wait); int parse_wait_time(int argc, char *argv[]); -void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval); +void parse_wait_interval(int argc, char *argv[]); int parse_counters(const char *string, struct xt_counters *ctr); bool tokenize_rule_counters(char **bufferp, char **pcnt, char **bcnt, int line); bool xs_has_arg(int argc, char *argv[]);