laurenceman / rpms / iptables

Forked from rpms/iptables 5 years ago
Clone

Blame SOURCES/iptables-1.4.21-flock_wait.patch

26b15f
From aa562a660d1555b13cffbac1e744033e91f82707 Mon Sep 17 00:00:00 2001
26b15f
From: Pablo Neira Ayuso <pablo@netfilter.org>
26b15f
Date: Fri, 16 Jan 2015 14:21:57 +0100
26b15f
Subject: iptables: use flock() instead of abstract unix sockets
26b15f
26b15f
Abstract unix sockets cannot be used to synchronize several concurrent
26b15f
instances of iptables since an unpriviledged process can create them and
26b15f
prevent the legitimate iptables instance from running.
26b15f
26b15f
Use flock() and /run instead as suggested by Lennart Poettering.
26b15f
26b15f
Fixes: 93587a0 ("ip[6]tables: Add locking to prevent concurrent instances")
26b15f
Reported-by: Lennart Poettering <lennart@poettering.net>
26b15f
Cc: Phil Oester <kernel@linuxace.com>
26b15f
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
26b15f
26b15f
diff --git a/iptables/xshared.c b/iptables/xshared.c
26b15f
index b18022e..7beb86b 100644
26b15f
--- a/iptables/xshared.c
26b15f
+++ b/iptables/xshared.c
26b15f
@@ -9,11 +9,11 @@
26b15f
 #include <sys/socket.h>
26b15f
 #include <sys/un.h>
26b15f
 #include <unistd.h>
26b15f
+#include <fcntl.h>
26b15f
 #include <xtables.h>
26b15f
 #include "xshared.h"
26b15f
 
26b15f
-#define XT_SOCKET_NAME "xtables"
26b15f
-#define XT_SOCKET_LEN 8
26b15f
+#define XT_LOCK_NAME	"/run/xtables.lock"
26b15f
 
26b15f
 /*
26b15f
  * Print out any special helps. A user might like to be able to add a --help
26b15f
@@ -245,22 +245,14 @@ void xs_init_match(struct xtables_match *match)
26b15f
 
26b15f
 bool xtables_lock(int wait)
26b15f
 {
26b15f
-	int i = 0, ret, xt_socket;
26b15f
-	struct sockaddr_un xt_addr;
26b15f
-	int waited = 0;
26b15f
-
26b15f
-	memset(&xt_addr, 0, sizeof(xt_addr));
26b15f
-	xt_addr.sun_family = AF_UNIX;
26b15f
-	strcpy(xt_addr.sun_path+1, XT_SOCKET_NAME);
26b15f
-	xt_socket = socket(AF_UNIX, SOCK_STREAM, 0);
26b15f
-	/* If we can't even create a socket, fall back to prior (lockless) behavior */
26b15f
-	if (xt_socket < 0)
26b15f
+	int fd, waited = 0, i = 0;
26b15f
+
26b15f
+	fd = open(XT_LOCK_NAME, O_CREAT, 0600);
26b15f
+	if (fd < 0)
26b15f
 		return true;
26b15f
 
26b15f
 	while (1) {
26b15f
-		ret = bind(xt_socket, (struct sockaddr*)&xt_addr,
26b15f
-			   offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN);
26b15f
-		if (ret == 0)
26b15f
+		if (flock(fd, LOCK_EX | LOCK_NB) == 0)
26b15f
 			return true;
26b15f
 		else if (wait >= 0 && waited >= wait)
26b15f
 			return false;
26b15f
-- 
26b15f
cgit v0.10.2
26b15f
26b15f
commit 6dc53c514f1e4683e51a877b3a2f3128cfccef28
26b15f
Author: Pablo Neira Ayuso <pablo@netfilter.org>
26b15f
Date:   Mon Feb 16 16:57:39 2015 +0100
26b15f
26b15f
    xshared: calm down compilation warning
26b15f
    
26b15f
    xshared.c: In function ‘xtables_lock’:
26b15f
    xshared.c:255:3: warning: implicit declaration of function ‘flock’ [-Wimplicit-function-declaration]
26b15f
    
26b15f
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
26b15f
26b15f
diff --git a/iptables/xshared.c b/iptables/xshared.c
26b15f
index 7beb86b..81c2581 100644
26b15f
--- a/iptables/xshared.c
26b15f
+++ b/iptables/xshared.c
26b15f
@@ -6,6 +6,7 @@
26b15f
 #include <stdio.h>
26b15f
 #include <stdlib.h>
26b15f
 #include <string.h>
26b15f
+#include <sys/file.h>
26b15f
 #include <sys/socket.h>
26b15f
 #include <sys/un.h>
26b15f
 #include <unistd.h>