|
 |
2b7d2b |
From aa562a660d1555b13cffbac1e744033e91f82707 Mon Sep 17 00:00:00 2001
|
|
|
2b7d2b |
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
2b7d2b |
Date: Fri, 16 Jan 2015 14:21:57 +0100
|
|
|
2b7d2b |
Subject: iptables: use flock() instead of abstract unix sockets
|
|
|
2b7d2b |
|
|
|
2b7d2b |
Abstract unix sockets cannot be used to synchronize several concurrent
|
|
|
2b7d2b |
instances of iptables since an unpriviledged process can create them and
|
|
|
2b7d2b |
prevent the legitimate iptables instance from running.
|
|
|
2b7d2b |
|
|
|
2b7d2b |
Use flock() and /run instead as suggested by Lennart Poettering.
|
|
|
2b7d2b |
|
|
|
2b7d2b |
Fixes: 93587a0 ("ip[6]tables: Add locking to prevent concurrent instances")
|
|
|
2b7d2b |
Reported-by: Lennart Poettering <lennart@poettering.net>
|
|
|
2b7d2b |
Cc: Phil Oester <kernel@linuxace.com>
|
|
|
2b7d2b |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
2b7d2b |
|
|
|
2b7d2b |
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
|
|
2b7d2b |
index b18022e..7beb86b 100644
|
|
|
2b7d2b |
--- a/iptables/xshared.c
|
|
|
2b7d2b |
+++ b/iptables/xshared.c
|
|
|
2b7d2b |
@@ -9,11 +9,11 @@
|
|
|
2b7d2b |
#include <sys/socket.h>
|
|
|
2b7d2b |
#include <sys/un.h>
|
|
|
2b7d2b |
#include <unistd.h>
|
|
|
2b7d2b |
+#include <fcntl.h>
|
|
|
2b7d2b |
#include <xtables.h>
|
|
|
2b7d2b |
#include "xshared.h"
|
|
|
2b7d2b |
|
|
|
2b7d2b |
-#define XT_SOCKET_NAME "xtables"
|
|
|
2b7d2b |
-#define XT_SOCKET_LEN 8
|
|
|
2b7d2b |
+#define XT_LOCK_NAME "/run/xtables.lock"
|
|
|
2b7d2b |
|
|
|
2b7d2b |
/*
|
|
|
2b7d2b |
* Print out any special helps. A user might like to be able to add a --help
|
|
|
2b7d2b |
@@ -245,22 +245,14 @@ void xs_init_match(struct xtables_match *match)
|
|
|
2b7d2b |
|
|
|
2b7d2b |
bool xtables_lock(int wait)
|
|
|
2b7d2b |
{
|
|
|
2b7d2b |
- int i = 0, ret, xt_socket;
|
|
|
2b7d2b |
- struct sockaddr_un xt_addr;
|
|
|
2b7d2b |
- int waited = 0;
|
|
|
2b7d2b |
-
|
|
|
2b7d2b |
- memset(&xt_addr, 0, sizeof(xt_addr));
|
|
|
2b7d2b |
- xt_addr.sun_family = AF_UNIX;
|
|
|
2b7d2b |
- strcpy(xt_addr.sun_path+1, XT_SOCKET_NAME);
|
|
|
2b7d2b |
- xt_socket = socket(AF_UNIX, SOCK_STREAM, 0);
|
|
|
2b7d2b |
- /* If we can't even create a socket, fall back to prior (lockless) behavior */
|
|
|
2b7d2b |
- if (xt_socket < 0)
|
|
|
2b7d2b |
+ int fd, waited = 0, i = 0;
|
|
|
2b7d2b |
+
|
|
|
2b7d2b |
+ fd = open(XT_LOCK_NAME, O_CREAT, 0600);
|
|
|
2b7d2b |
+ if (fd < 0)
|
|
|
2b7d2b |
return true;
|
|
|
2b7d2b |
|
|
|
2b7d2b |
while (1) {
|
|
|
2b7d2b |
- ret = bind(xt_socket, (struct sockaddr*)&xt_addr,
|
|
|
2b7d2b |
- offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN);
|
|
|
2b7d2b |
- if (ret == 0)
|
|
|
2b7d2b |
+ if (flock(fd, LOCK_EX | LOCK_NB) == 0)
|
|
|
2b7d2b |
return true;
|
|
|
2b7d2b |
else if (wait >= 0 && waited >= wait)
|
|
|
2b7d2b |
return false;
|
|
|
2b7d2b |
--
|
|
|
2b7d2b |
cgit v0.10.2
|
|
|
2b7d2b |
|
|
|
2b7d2b |
commit 6dc53c514f1e4683e51a877b3a2f3128cfccef28
|
|
|
2b7d2b |
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
2b7d2b |
Date: Mon Feb 16 16:57:39 2015 +0100
|
|
|
2b7d2b |
|
|
|
2b7d2b |
xshared: calm down compilation warning
|
|
|
2b7d2b |
|
|
|
2b7d2b |
xshared.c: In function ‘xtables_lock’:
|
|
|
2b7d2b |
xshared.c:255:3: warning: implicit declaration of function ‘flock’ [-Wimplicit-function-declaration]
|
|
|
2b7d2b |
|
|
|
2b7d2b |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
2b7d2b |
|
|
|
2b7d2b |
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
|
|
2b7d2b |
index 7beb86b..81c2581 100644
|
|
|
2b7d2b |
--- a/iptables/xshared.c
|
|
|
2b7d2b |
+++ b/iptables/xshared.c
|
|
|
2b7d2b |
@@ -6,6 +6,7 @@
|
|
|
2b7d2b |
#include <stdio.h>
|
|
|
2b7d2b |
#include <stdlib.h>
|
|
|
2b7d2b |
#include <string.h>
|
|
|
2b7d2b |
+#include <sys/file.h>
|
|
|
2b7d2b |
#include <sys/socket.h>
|
|
|
2b7d2b |
#include <sys/un.h>
|
|
|
2b7d2b |
#include <unistd.h>
|