[Pkg-netfilter-devel] Bug#816087: iptables is racy by default when used in scripts
Ben Hutchings
ben at decadent.org.uk
Sun Sep 25 17:57:25 UTC 2016
On Mon, 2016-09-26 at 02:29 +0930, Ron wrote:
[...]
> I would have thought that waiting by default would probably be the
> more 'backward compatible' option - though that said, if I'm correct
> about the problem I saw in the script above, then defaulting to
> waiting could potentially deadlock (empirically it hasn't so far with
> -w added manually, but if both -L and -F take the same lock, then that
> loop actually needs to be rewritten to be properly safe now ...)
>
>
> So maybe the current behaviour _is_ the 'safest' change, and really
> the only way to fix this is to audit everything calling iptables now :/
> Either option seems to have its own flavour of eww ...
It seems like the waiting behaviour could be improved by:
1. Not locking for read-only commands like 'iptables -L' (reading a
table is already atomic so it shouldn't be needed).
2. Adding a timeout to break deadlocks.
Ben.
--
Ben Hutchings
No political challenge can be met by shopping. - George Monbiot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-netfilter-devel/attachments/20160925/4af03f0e/attachment.sig>
More information about the Pkg-netfilter-devel
mailing list