[Pkg-netfilter-devel] Bug#816087: iptables is racy by default when used in scripts

Ron ron at debian.org
Sat Feb 27 10:36:57 UTC 2016 

Package: iptables
Version: 1.4.21-2+b1
Severity: important

Hi,

So, somewhere between Wheezy and Jessie, iptables starting using locking
to avoid racy updates to the kernel state, which means the command line
tool will now sometimes fail with:

 "Another app is currently holding the xtables lock."

Which is good, except that means the command line tool itself has now
introduced race conditions which scripts calling it repeatedly can lose
unless they explicitly pass the -w option to wait for the lock.

The problem seems to be that iptables itself will return before the
xtables lock has been released, so a script calling it multiple times
is prone to fail somewhere in the middle of what it is doing ...


This has been reported and worked around elsewhere, in bugs like:
https://bugs.debian.org/780238

But given that I've only just started to see the problem here in
scripts of our own, I suspect it is far more widespread and things
are failing for far more people in far more places now, possibly
with rather undesirable results.  So it seems like something more
needs to be done to grease the wheels of this transition ...


I'm inclined to think -w should actually be the default, though I
understand that could have the undesirable side effect of deadlocking
in some pathological use cases ...  but at the very least it seems
like the iptables command shouldn't return to the caller until the
lock is really released.  Which would least make it safe(r) for an
existing single threaded script to call it repeatedly without needing
modification (though it could still get nuked by some other caller
running a command that takes the xtables lock) ...


I'm sure there's more to this than I currently know, so I'll stop
speculating on solutions there until there's some feedback on why
the current behaviour exists.  But I do think this needs to be
either far more widely advertised as an incompatible and dangerous
change, or mitigated in some better way that doesn't make things
which were working in Wheezy gain a new and subtle failure mode
for Jessie and later releases.

  Cheers,
  Ron

More information about the Pkg-netfilter-devel mailing list