From ddf218fe18f9a24d06af53b9c4a599fd63c57cbe Mon Sep 17 00:00:00 2001 From: yangl777 Date: Mon, 18 Aug 2025 08:06:57 +0000 Subject: [PATCH] iptables-legacy:Fix for mandatory lock waiting --- ...egacy-Fix-for-mandatory-lock-waiting.patch | 119 ++++++++++++++++++ ...l-iptables-0010-wait_0-is-unreliable.patch | 36 ++++++ iptables.spec | 10 +- 3 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 backport-iptables-legacy-Fix-for-mandatory-lock-waiting.patch create mode 100644 backport-tests-shell-iptables-0010-wait_0-is-unreliable.patch diff --git a/backport-iptables-legacy-Fix-for-mandatory-lock-waiting.patch b/backport-iptables-legacy-Fix-for-mandatory-lock-waiting.patch new file mode 100644 index 0000000..47cf8c5 --- /dev/null +++ b/backport-iptables-legacy-Fix-for-mandatory-lock-waiting.patch @@ -0,0 +1,119 @@ +From 63ab5b8906f6913a14d38ec231f21daa760339a9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 19 Dec 2023 00:56:07 +0100 +Subject: iptables-legacy: Fix for mandatory lock waiting + +Parameter 'wait' passed to xtables_lock() signals three modes of +operation, depending on its value: + + 0: --wait not specified, do not wait if lock is busy +-1: --wait specified without value, wait indefinitely until lock becomes + free +>0: Wait for 'wait' seconds for lock to become free, abort otherwise + +Since fixed commit, the first two cases were treated the same apart from +calling alarm(0), but that is a nop if no alarm is pending. Fix the code +by requesting a non-blocking flock() in the second case. While at it, +restrict the alarm setup to the third case only. + +Cc: Jethro Beekman +Cc: howardjohn@google.com +Cc: Antonio Ojea +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1728 +Fixes: 07e2107ef0cbc ("xshared: Implement xtables lock timeout using signals") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables/commit/?id=63ab5b8906f6913a14d38ec231f21daa760339a9 +--- + .../tests/shell/testcases/iptables/0010-wait_0 | 55 ++++++++++++++++++++++ + iptables/xshared.c | 4 +- + 2 files changed, 57 insertions(+), 2 deletions(-) + create mode 100755 iptables/tests/shell/testcases/iptables/0010-wait_0 + +diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0 +new file mode 100755 +index 00000000..4481f966 +--- /dev/null ++++ b/iptables/tests/shell/testcases/iptables/0010-wait_0 +@@ -0,0 +1,55 @@ ++#!/bin/bash ++ ++case "$XT_MULTI" in ++*xtables-legacy-multi) ++ ;; ++*) ++ echo skip $XT_MULTI ++ exit 0 ++ ;; ++esac ++ ++coproc RESTORE { $XT_MULTI iptables-restore; } ++echo "*filter" >&${RESTORE[1]} ++ ++ ++$XT_MULTI iptables -A FORWARD -j ACCEPT & ++ipt_pid=$! ++ ++waitpid -t 1 $ipt_pid ++[[ $? -eq 3 ]] && { ++ echo "process waits when it should not" ++ exit 1 ++} ++wait $ipt_pid ++[[ $? -eq 0 ]] && { ++ echo "process exited 0 despite busy lock" ++ exit 1 ++} ++ ++t0=$(date +%s) ++$XT_MULTI iptables -w 3 -A FORWARD -j ACCEPT ++t1=$(date +%s) ++[[ $((t1 - t0)) -ge 3 ]] || { ++ echo "wait time not expired" ++ exit 1 ++} ++ ++$XT_MULTI iptables -w -A FORWARD -j ACCEPT & ++ipt_pid=$! ++ ++waitpid -t 3 $ipt_pid ++[[ $? -eq 3 ]] || { ++ echo "no indefinite wait" ++ exit 1 ++} ++kill $ipt_pid ++waitpid -t 3 $ipt_pid ++[[ $? -eq 3 ]] && { ++ echo "killed waiting iptables call did not exit in time" ++ exit 1 ++} ++ ++kill $RESTORE_PID ++wait ++exit 0 +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 5cae62b4..43fa929d 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -270,7 +270,7 @@ static int xtables_lock(int wait) + return XT_LOCK_FAILED; + } + +- if (wait != -1) { ++ if (wait > 0) { + sigact_alarm.sa_handler = alarm_ignore; + sigact_alarm.sa_flags = SA_RESETHAND; + sigemptyset(&sigact_alarm.sa_mask); +@@ -278,7 +278,7 @@ static int xtables_lock(int wait) + alarm(wait); + } + +- if (flock(fd, LOCK_EX) == 0) ++ if (flock(fd, LOCK_EX | (wait ? 0 : LOCK_NB)) == 0) + return fd; + + if (errno == EINTR) { +-- +cgit v1.2.3 + diff --git a/backport-tests-shell-iptables-0010-wait_0-is-unreliable.patch b/backport-tests-shell-iptables-0010-wait_0-is-unreliable.patch new file mode 100644 index 0000000..9dbc12e --- /dev/null +++ b/backport-tests-shell-iptables-0010-wait_0-is-unreliable.patch @@ -0,0 +1,36 @@ +From ffcf95e18c48b6a86acffb1630d65b07293581b5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 6 Nov 2024 15:55:29 +0100 +Subject: tests: shell: iptables/0010-wait_0 is unreliable + +Sometimes the test would fail, especially after removing +/run/xtables.lock file. Looks like the supposedly blocking +iptables-restore coproc sometimes takes a moment to set things up. + +Fixes: 63ab5b8906f69 ("iptables-legacy: Fix for mandatory lock waiting") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables/commit/?id=ffcf95e18c48b6a86acffb1630d65b07293581b5 +--- + iptables/tests/shell/testcases/iptables/0010-wait_0 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +(limited to 'iptables/tests/shell/testcases/iptables/0010-wait_0') + +diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0 +index 4481f966..37a7a58f 100755 +--- a/iptables/tests/shell/testcases/iptables/0010-wait_0 ++++ b/iptables/tests/shell/testcases/iptables/0010-wait_0 +@@ -11,7 +11,7 @@ esac + + coproc RESTORE { $XT_MULTI iptables-restore; } + echo "*filter" >&${RESTORE[1]} +- ++sleep 0.5 + + $XT_MULTI iptables -A FORWARD -j ACCEPT & + ipt_pid=$! +-- +cgit v1.2.3 + diff --git a/iptables.spec b/iptables.spec index b96c4b0..505d269 100644 --- a/iptables.spec +++ b/iptables.spec @@ -2,7 +2,7 @@ %global legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: iptables Version: 1.8.9 -Release: 11 +Release: 12 Summary: IP packet filter administration utilities License: GPL-2.0-only and Artistic-2.0 URL: https://www.netfilter.org/ @@ -32,6 +32,8 @@ Patch15: tests-extensions-add-some-testcases.patch Patch16: backport-extensions-recent-Fix-format-string-for-unsigned-values.patch Patch17: backport-nft-cmd-Init-struct-nft_cmd-head-early.patch Patch18: backport-ip6tables-Fix-checking-existence-of-rule.patch +Patch19: backport-iptables-legacy-Fix-for-mandatory-lock-waiting.patch +Patch20: backport-tests-shell-iptables-0010-wait_0-is-unreliable.patch BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd @@ -343,6 +345,12 @@ fi %{_datadir}/xtables/iptables.xslt %changelog +* Mon Aug 18 2025 yanglu - 1.8.9-12 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:iptables-legacy:Fix for mandatory lock waiting + * Wed Jul 30 2025 yanglu - 1.8.9-11 - Type:bugfix - CVE:NA -- Gitee