import iptables-1.8.4-17.el8_4.1

This commit is contained in:
CentOS Sources 2021-11-02 03:50:35 -04:00 committed by Stepan Oksanichenko
parent c3f048e40a
commit 28a035574c
2 changed files with 82 additions and 1 deletions

View File

@ -0,0 +1,77 @@
From 49b00c1d89ab0f0b1a2ebf5bb9207311e8ea164e Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 4 Aug 2021 17:14:05 +0200
Subject: [PATCH] nft: cache: Retry if kernel returns EINTR
In case of parallel ruleset updates, recvfrom() calls may return EINTR.
Due to the fact that cache fetches may get triggered while iterating
over cache elements, __nft_build_cache must not restart based on
comparing before and after generation ID like upstream does. Instead,
just retry the recvfrom() calls until they either succeed or return a
different error than EINTR.
---
iptables/nft-cache.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 9623b463f0dd5..699dc66a95cd1 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -98,9 +98,12 @@ static int fetch_table_cache(struct nft_handle *h)
nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, h->family,
NLM_F_DUMP, h->seq);
+retry:
ret = mnl_talk(h, nlh, nftnl_table_list_cb, list);
- if (ret < 0 && errno == EINTR)
+ if (ret < 0 && errno == EINTR) {
assert(nft_restart(h) >= 0);
+ goto retry;
+ }
h->cache->tables = list;
@@ -275,10 +278,11 @@ static int fetch_set_cache(struct nft_handle *h,
NLM_F_DUMP, h->seq);
}
+retry:
ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d);
if (ret < 0 && errno == EINTR) {
assert(nft_restart(h) >= 0);
- return ret;
+ goto retry;
}
if (t && set) {
@@ -355,9 +359,12 @@ static int fetch_chain_cache(struct nft_handle *h,
h->seq);
}
+retry:
ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d);
- if (ret < 0 && errno == EINTR)
+ if (ret < 0 && errno == EINTR) {
assert(nft_restart(h) >= 0);
+ goto retry;
+ }
return ret;
}
@@ -404,9 +411,12 @@ static int nft_rule_list_update(struct nftnl_chain *c, void *data)
NLM_F_DUMP, h->seq);
nftnl_rule_nlmsg_build_payload(nlh, rule);
+retry:
ret = mnl_talk(h, nlh, nftnl_rule_list_cb, c);
- if (ret < 0 && errno == EINTR)
+ if (ret < 0 && errno == EINTR) {
assert(nft_restart(h) >= 0);
+ goto retry;
+ }
nftnl_rule_free(rule);
--
2.32.0

View File

@ -17,7 +17,7 @@ Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
URL: http://www.netfilter.org/projects/iptables
Version: 1.8.4
Release: 17%{?dist}
Release: 17%{?dist}.1
Source: %{url}/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
@ -77,6 +77,7 @@ Patch40: 0040-extensions-libxt_CT-add-translation-for-NOTRACK.patch
Patch41: 0041-nft-Fix-command-name-in-ip6tables-error-message.patch
Patch42: 0042-tests-shell-Merge-and-extend-return-codes-test.patch
Patch43: 0043-extensions-dccp-Fix-for-DCCP-type-INVALID.patch
Patch44: 0044-nft-cache-Retry-if-kernel-returns-EINTR.patch
# pf.os: ISC license
# iptables-apply: Artistic Licence 2.0
@ -485,6 +486,9 @@ done
%doc %{_mandir}/man8/ebtables*.8*
%changelog
* Wed Aug 04 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-17.1
- nft: cache: Retry if kernel returns EINTR
* Thu Dec 10 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-17
- extensions: dccp: Fix for DCCP type 'INVALID'
- tests: shell: Merge and extend return codes test