diff --git a/SOURCES/ebtables-2.0.10-flock.patch b/SOURCES/ebtables-2.0.10-flock.patch new file mode 100644 index 0000000..b1d59a7 --- /dev/null +++ b/SOURCES/ebtables-2.0.10-flock.patch @@ -0,0 +1,126 @@ +From 03df255180677b86eb058866be668063fcc6f598 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 6 Oct 2017 12:48:50 +0200 +Subject: [PATCH] Use flock() for --concurrent option + +The previous locking mechanism was not atomic, hence it was possible +that a killed ebtables process would leave the lock file in place which +in turn made future ebtables processes wait indefinitely for the lock to +become free. + +Fix this by using flock(). This also simplifies code quite a bit because +there is no need for a custom signal handler or an __exit routine +anymore. + +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Phil Sutter +--- + ebtables.c | 8 -------- + libebtc.c | 49 +++++-------------------------------------------- + 2 files changed, 5 insertions(+), 52 deletions(-) + +diff --git a/ebtables.c b/ebtables.c +index 62f1ba80063d8..f7dfccf4b2f31 100644 +--- a/ebtables.c ++++ b/ebtables.c +@@ -528,12 +528,6 @@ void ebt_early_init_once() + ebt_iterate_targets(merge_target); + } + +-/* signal handler, installed when the option --concurrent is specified. */ +-static void sighandler(int signum) +-{ +- exit(-1); +-} +- + /* We use exec_style instead of #ifdef's because ebtables.so is a shared object. */ + int do_command(int argc, char *argv[], int exec_style, + struct ebt_u_replace *replace_) +@@ -1047,8 +1041,6 @@ big_iface_length: + strcpy(replace->filename, optarg); + break; + case 13 : /* concurrent */ +- signal(SIGINT, sighandler); +- signal(SIGTERM, sighandler); + use_lockfd = 1; + break; + case 1 : +diff --git a/libebtc.c b/libebtc.c +index b0814213b6b06..ab3429577a1f1 100644 +--- a/libebtc.c ++++ b/libebtc.c +@@ -31,6 +31,7 @@ + #include "include/ethernetdb.h" + #include + #include ++#include + #include + #include + #include +@@ -137,58 +138,18 @@ void ebt_list_extensions() + #define LOCKDIR "/run" + #define LOCKFILE LOCKDIR"/ebtables.lock" + #endif +-static int lockfd = -1, locked; + int use_lockfd; + /* Returns 0 on success, -1 when the file is locked by another process + * or -2 on any other error. */ + static int lock_file() + { +- int try = 0; +- int ret = 0; +- sigset_t sigset; +- +-tryagain: +- /* the SIGINT handler will call unlock_file. To make sure the state +- * of the variable locked is correct, we need to temporarily mask the +- * SIGINT interrupt. */ +- sigemptyset(&sigset); +- sigaddset(&sigset, SIGINT); +- sigprocmask(SIG_BLOCK, &sigset, NULL); +- lockfd = open(LOCKFILE, O_CREAT | O_EXCL | O_WRONLY, 00600); +- if (lockfd < 0) { +- if (errno == EEXIST) +- ret = -1; +- else if (try == 1) +- ret = -2; +- else { +- if (mkdir(LOCKDIR, 00700)) +- ret = -2; +- else { +- try = 1; +- goto tryagain; +- } +- } +- } else { +- close(lockfd); +- locked = 1; +- } +- sigprocmask(SIG_UNBLOCK, &sigset, NULL); +- return ret; +-} ++ int fd = open(LOCKFILE, O_CREAT, 00600); + +-void unlock_file() +-{ +- if (locked) { +- remove(LOCKFILE); +- locked = 0; +- } ++ if (fd < 0) ++ return -2; ++ return flock(fd, LOCK_EX); + } + +-void __attribute__ ((destructor)) onexit() +-{ +- if (use_lockfd) +- unlock_file(); +-} + /* Get the table from the kernel or from a binary file + * init: 1 = ask the kernel for the initial contents of a table, i.e. the + * way it looks when the table is insmod'ed +-- +2.13.1 + diff --git a/SPECS/ebtables.spec b/SPECS/ebtables.spec index 3d27836..5c1751e 100644 --- a/SPECS/ebtables.spec +++ b/SPECS/ebtables.spec @@ -2,7 +2,7 @@ Name: ebtables Version: 2.0.10 -Release: 15%{?dist} +Release: 16%{?dist} Summary: Ethernet Bridge frame table administration tool License: GPLv2+ Group: System Environment/Base @@ -17,6 +17,7 @@ Patch4: ebtables-2.0.10-linkfix.patch Patch5: ebtables-2.0.0-audit.patch Patch6: ebtables-2.0.10-noflush.patch Patch7: ebtables-2.0.10-lockdirfix.patch +Patch8: ebtables-2.0.10-flock.patch BuildRequires: systemd-units Requires(post): systemd Requires(preun): systemd @@ -42,6 +43,7 @@ like iptables. There are no known incompatibility issues. %patch5 -p1 -b .AUDIT %patch6 -p1 -b .noflush %patch7 -p1 -b .lockdir +%patch8 -p1 -b .flock # Convert to UTF-8 f=THANKS; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f @@ -98,6 +100,9 @@ mv %{buildroot}/%{_lib}/ebtables/libebtc.so %{buildroot}/%{_lib}/ %ghost %{_sysconfdir}/sysconfig/ebtables.broute %changelog +* Wed Oct 25 2017 Phil Sutter - 2.0.10-16 +- Fix for potentially stale lock files (RHBZ#1495893) + * Thu Jun 30 2016 Thomas Woerner - 2.0.10-15 - Backported lockdirfix to use (/var)/run from Fedora (RHBZ#1346376)