import iptables-1.8.4-17.el8_4.1
This commit is contained in:
parent
c3f048e40a
commit
28a035574c
77
SOURCES/0044-nft-cache-Retry-if-kernel-returns-EINTR.patch
Normal file
77
SOURCES/0044-nft-cache-Retry-if-kernel-returns-EINTR.patch
Normal file
@ -0,0 +1,77 @@
|
||||
From 49b00c1d89ab0f0b1a2ebf5bb9207311e8ea164e Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 4 Aug 2021 17:14:05 +0200
|
||||
Subject: [PATCH] nft: cache: Retry if kernel returns EINTR
|
||||
|
||||
In case of parallel ruleset updates, recvfrom() calls may return EINTR.
|
||||
Due to the fact that cache fetches may get triggered while iterating
|
||||
over cache elements, __nft_build_cache must not restart based on
|
||||
comparing before and after generation ID like upstream does. Instead,
|
||||
just retry the recvfrom() calls until they either succeed or return a
|
||||
different error than EINTR.
|
||||
---
|
||||
iptables/nft-cache.c | 18 ++++++++++++++----
|
||||
1 file changed, 14 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
|
||||
index 9623b463f0dd5..699dc66a95cd1 100644
|
||||
--- a/iptables/nft-cache.c
|
||||
+++ b/iptables/nft-cache.c
|
||||
@@ -98,9 +98,12 @@ static int fetch_table_cache(struct nft_handle *h)
|
||||
nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, h->family,
|
||||
NLM_F_DUMP, h->seq);
|
||||
|
||||
+retry:
|
||||
ret = mnl_talk(h, nlh, nftnl_table_list_cb, list);
|
||||
- if (ret < 0 && errno == EINTR)
|
||||
+ if (ret < 0 && errno == EINTR) {
|
||||
assert(nft_restart(h) >= 0);
|
||||
+ goto retry;
|
||||
+ }
|
||||
|
||||
h->cache->tables = list;
|
||||
|
||||
@@ -275,10 +278,11 @@ static int fetch_set_cache(struct nft_handle *h,
|
||||
NLM_F_DUMP, h->seq);
|
||||
}
|
||||
|
||||
+retry:
|
||||
ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d);
|
||||
if (ret < 0 && errno == EINTR) {
|
||||
assert(nft_restart(h) >= 0);
|
||||
- return ret;
|
||||
+ goto retry;
|
||||
}
|
||||
|
||||
if (t && set) {
|
||||
@@ -355,9 +359,12 @@ static int fetch_chain_cache(struct nft_handle *h,
|
||||
h->seq);
|
||||
}
|
||||
|
||||
+retry:
|
||||
ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d);
|
||||
- if (ret < 0 && errno == EINTR)
|
||||
+ if (ret < 0 && errno == EINTR) {
|
||||
assert(nft_restart(h) >= 0);
|
||||
+ goto retry;
|
||||
+ }
|
||||
|
||||
return ret;
|
||||
}
|
||||
@@ -404,9 +411,12 @@ static int nft_rule_list_update(struct nftnl_chain *c, void *data)
|
||||
NLM_F_DUMP, h->seq);
|
||||
nftnl_rule_nlmsg_build_payload(nlh, rule);
|
||||
|
||||
+retry:
|
||||
ret = mnl_talk(h, nlh, nftnl_rule_list_cb, c);
|
||||
- if (ret < 0 && errno == EINTR)
|
||||
+ if (ret < 0 && errno == EINTR) {
|
||||
assert(nft_restart(h) >= 0);
|
||||
+ goto retry;
|
||||
+ }
|
||||
|
||||
nftnl_rule_free(rule);
|
||||
|
||||
--
|
||||
2.32.0
|
||||
|
@ -17,7 +17,7 @@ Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: http://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.4
|
||||
Release: 17%{?dist}
|
||||
Release: 17%{?dist}.1
|
||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
@ -77,6 +77,7 @@ Patch40: 0040-extensions-libxt_CT-add-translation-for-NOTRACK.patch
|
||||
Patch41: 0041-nft-Fix-command-name-in-ip6tables-error-message.patch
|
||||
Patch42: 0042-tests-shell-Merge-and-extend-return-codes-test.patch
|
||||
Patch43: 0043-extensions-dccp-Fix-for-DCCP-type-INVALID.patch
|
||||
Patch44: 0044-nft-cache-Retry-if-kernel-returns-EINTR.patch
|
||||
|
||||
# pf.os: ISC license
|
||||
# iptables-apply: Artistic Licence 2.0
|
||||
@ -485,6 +486,9 @@ done
|
||||
%doc %{_mandir}/man8/ebtables*.8*
|
||||
|
||||
%changelog
|
||||
* Wed Aug 04 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-17.1
|
||||
- nft: cache: Retry if kernel returns EINTR
|
||||
|
||||
* Thu Dec 10 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-17
|
||||
- extensions: dccp: Fix for DCCP type 'INVALID'
|
||||
- tests: shell: Merge and extend return codes test
|
||||
|
Loading…
Reference in New Issue
Block a user