History log of /external/iptables/iptables/xshared.c
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8 31-May-2013 Phil Oester <kernel@linuxace.com> ip[6]tables: Add locking to prevent concurrent instances

There have been numerous complaints and bug reports over the years when admins
attempt to run more than one instance of iptables simultaneously. Currently
open bug reports which are related:

325: Parallel execution of the iptables is impossible
758: Retry iptables command on transient failure
764: Doing -Z twice in parallel breaks counters
822: iptables shows negative or other bad packet/byte counts

As Patrick notes in 325: "Since this has been a problem people keep running
into, I'd suggest to simply add some locking to iptables to catch the most
common case."

I started looking into alternatives to add locking, and of course the most
common/obvious solution is to use a pidfile. But this has various downsides,
such as if the application is terminated abnormally and the pidfile isn't
cleaned up. And this also requires a writable filesystem. Using a UNIX domain
socket file (e.g. in /var/run) has similar issues.

Starting in 2.2, Linux added support for abstract sockets. These sockets
require no filesystem, and automatically disappear once the application
terminates. This is the locking solution I chose to implement in ip[6]tables.
As an added bonus, since each network namespace has its own socket pool, an
ip[6]tables instance running in one namespace will not lock out an ip[6]tables
instance running in another namespace. A filesystem approach would have
to recognize and handle multiple network namespaces.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/xshared.c
14da56743c6cdf25da35b7b5ca7a5d201771990d 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> src: resolve old macro names that are indirections

Command used:

git grep -f <(pcregrep -hior
'(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/)

and then fix all occurrences.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xshared.c
2dba676b68ef842025f3afecba26cb0b2ae4c09b 18-Jun-2011 Jan Engelhardt <jengelh@medozas.de> extensions: support for per-extension instance "global" variable space

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xshared.c
14190986f87301b18bcc473c842bd82d778d87a2 18-Jun-2011 Jan Engelhardt <jengelh@medozas.de> iptables: consolidate target/match init call

This is useful for the upcoming patch about per-instance auxiliary
data.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xshared.c
780607f8b040a47cd2d4775376e2d30f567dc049 07-Jun-2011 Jan Engelhardt <jengelh@medozas.de> option: fix ignored negation before implicit extension loading

`iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it
was not present in a subsequent `iptables -S`.

Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto
extension, cs.invert must not be touched until the next getopt call.
This is now fixed by having command_default return a value to indicate
whether to jump or not.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xshared.c
033e25a3ad215ee3f5a07f0a3315f74c4abfaced 07-Jun-2011 Jan Engelhardt <jengelh@medozas.de> src: move all iptables pieces into a separate directory

(Unclutter top-level dir)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/xshared.c