|
 |
26b15f |
From aa562a660d1555b13cffbac1e744033e91f82707 Mon Sep 17 00:00:00 2001
|
|
|
26b15f |
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
26b15f |
Date: Fri, 16 Jan 2015 14:21:57 +0100
|
|
|
26b15f |
Subject: iptables: use flock() instead of abstract unix sockets
|
|
|
26b15f |
|
|
|
26b15f |
Abstract unix sockets cannot be used to synchronize several concurrent
|
|
|
26b15f |
instances of iptables since an unpriviledged process can create them and
|
|
|
26b15f |
prevent the legitimate iptables instance from running.
|
|
|
26b15f |
|
|
|
26b15f |
Use flock() and /run instead as suggested by Lennart Poettering.
|
|
|
26b15f |
|
|
|
26b15f |
Fixes: 93587a0 ("ip[6]tables: Add locking to prevent concurrent instances")
|
|
|
26b15f |
Reported-by: Lennart Poettering <lennart@poettering.net>
|
|
|
26b15f |
Cc: Phil Oester <kernel@linuxace.com>
|
|
|
26b15f |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
26b15f |
|
|
|
26b15f |
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
|
|
26b15f |
index b18022e..7beb86b 100644
|
|
|
26b15f |
--- a/iptables/xshared.c
|
|
|
26b15f |
+++ b/iptables/xshared.c
|
|
|
26b15f |
@@ -9,11 +9,11 @@
|
|
|
26b15f |
#include <sys/socket.h>
|
|
|
26b15f |
#include <sys/un.h>
|
|
|
26b15f |
#include <unistd.h>
|
|
|
26b15f |
+#include <fcntl.h>
|
|
|
26b15f |
#include <xtables.h>
|
|
|
26b15f |
#include "xshared.h"
|
|
|
26b15f |
|
|
|
26b15f |
-#define XT_SOCKET_NAME "xtables"
|
|
|
26b15f |
-#define XT_SOCKET_LEN 8
|
|
|
26b15f |
+#define XT_LOCK_NAME "/run/xtables.lock"
|
|
|
26b15f |
|
|
|
26b15f |
/*
|
|
|
26b15f |
* Print out any special helps. A user might like to be able to add a --help
|
|
|
26b15f |
@@ -245,22 +245,14 @@ void xs_init_match(struct xtables_match *match)
|
|
|
26b15f |
|
|
|
26b15f |
bool xtables_lock(int wait)
|
|
|
26b15f |
{
|
|
|
26b15f |
- int i = 0, ret, xt_socket;
|
|
|
26b15f |
- struct sockaddr_un xt_addr;
|
|
|
26b15f |
- int waited = 0;
|
|
|
26b15f |
-
|
|
|
26b15f |
- memset(&xt_addr, 0, sizeof(xt_addr));
|
|
|
26b15f |
- xt_addr.sun_family = AF_UNIX;
|
|
|
26b15f |
- strcpy(xt_addr.sun_path+1, XT_SOCKET_NAME);
|
|
|
26b15f |
- xt_socket = socket(AF_UNIX, SOCK_STREAM, 0);
|
|
|
26b15f |
- /* If we can't even create a socket, fall back to prior (lockless) behavior */
|
|
|
26b15f |
- if (xt_socket < 0)
|
|
|
26b15f |
+ int fd, waited = 0, i = 0;
|
|
|
26b15f |
+
|
|
|
26b15f |
+ fd = open(XT_LOCK_NAME, O_CREAT, 0600);
|
|
|
26b15f |
+ if (fd < 0)
|
|
|
26b15f |
return true;
|
|
|
26b15f |
|
|
|
26b15f |
while (1) {
|
|
|
26b15f |
- ret = bind(xt_socket, (struct sockaddr*)&xt_addr,
|
|
|
26b15f |
- offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN);
|
|
|
26b15f |
- if (ret == 0)
|
|
|
26b15f |
+ if (flock(fd, LOCK_EX | LOCK_NB) == 0)
|
|
|
26b15f |
return true;
|
|
|
26b15f |
else if (wait >= 0 && waited >= wait)
|
|
|
26b15f |
return false;
|
|
|
26b15f |
--
|
|
|
26b15f |
cgit v0.10.2
|
|
|
26b15f |
|
|
|
26b15f |
commit 6dc53c514f1e4683e51a877b3a2f3128cfccef28
|
|
|
26b15f |
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
26b15f |
Date: Mon Feb 16 16:57:39 2015 +0100
|
|
|
26b15f |
|
|
|
26b15f |
xshared: calm down compilation warning
|
|
|
26b15f |
|
|
|
26b15f |
xshared.c: In function ‘xtables_lock’:
|
|
|
26b15f |
xshared.c:255:3: warning: implicit declaration of function ‘flock’ [-Wimplicit-function-declaration]
|
|
|
26b15f |
|
|
|
26b15f |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
26b15f |
|
|
|
26b15f |
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
|
|
26b15f |
index 7beb86b..81c2581 100644
|
|
|
26b15f |
--- a/iptables/xshared.c
|
|
|
26b15f |
+++ b/iptables/xshared.c
|
|
|
26b15f |
@@ -6,6 +6,7 @@
|
|
|
26b15f |
#include <stdio.h>
|
|
|
26b15f |
#include <stdlib.h>
|
|
|
26b15f |
#include <string.h>
|
|
|
26b15f |
+#include <sys/file.h>
|
|
|
26b15f |
#include <sys/socket.h>
|
|
|
26b15f |
#include <sys/un.h>
|
|
|
26b15f |
#include <unistd.h>
|