import iptables-1.8.4-17.el8_4.1

SOURCES/0044-nft-cache-Retry-if-kernel-returns-EINTR.patch

@@ -0,0 +1,77 @@
+From 49b00c1d89ab0f0b1a2ebf5bb9207311e8ea164e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 4 Aug 2021 17:14:05 +0200
+Subject: [PATCH] nft: cache: Retry if kernel returns EINTR
+
+In case of parallel ruleset updates, recvfrom() calls may return EINTR.
+Due to the fact that cache fetches may get triggered while iterating
+over cache elements, __nft_build_cache must not restart based on
+comparing before and after generation ID like upstream does. Instead,
+just retry the recvfrom() calls until they either succeed or return a
+different error than EINTR.
+---
+ iptables/nft-cache.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
+index 9623b463f0dd5..699dc66a95cd1 100644
+--- a/iptables/nft-cache.c
++++ b/iptables/nft-cache.c
+@@ -98,9 +98,12 @@ static int fetch_table_cache(struct nft_handle *h)
+ 	nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, h->family,
+ 					NLM_F_DUMP, h->seq);
+ 
++retry:
+ 	ret = mnl_talk(h, nlh, nftnl_table_list_cb, list);
+-	if (ret < 0 && errno == EINTR)
++	if (ret < 0 && errno == EINTR) {
+ 		assert(nft_restart(h) >= 0);
++		goto retry;
++	}
+ 
+ 	h->cache->tables = list;
+ 
+@@ -275,10 +278,11 @@ static int fetch_set_cache(struct nft_handle *h,
+ 						NLM_F_DUMP, h->seq);
+ 	}
+ 
++retry:
+ 	ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d);
+ 	if (ret < 0 && errno == EINTR) {
+ 		assert(nft_restart(h) >= 0);
+-		return ret;
++		goto retry;
+ 	}
+ 
+ 	if (t && set) {
+@@ -355,9 +359,12 @@ static int fetch_chain_cache(struct nft_handle *h,
+ 						  h->seq);
+ 	}
+ 
++retry:
+ 	ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d);
+-	if (ret < 0 && errno == EINTR)
++	if (ret < 0 && errno == EINTR) {
+ 		assert(nft_restart(h) >= 0);
++		goto retry;
++	}
+ 
+ 	return ret;
+ }
+@@ -404,9 +411,12 @@ static int nft_rule_list_update(struct nftnl_chain *c, void *data)
+ 					NLM_F_DUMP, h->seq);
+ 	nftnl_rule_nlmsg_build_payload(nlh, rule);
+ 
++retry:
+ 	ret = mnl_talk(h, nlh, nftnl_rule_list_cb, c);
+-	if (ret < 0 && errno == EINTR)
++	if (ret < 0 && errno == EINTR) {
+ 		assert(nft_restart(h) >= 0);
++		goto retry;
++	}
+ 
+ 	nftnl_rule_free(rule);
+ 
+-- 
+2.32.0
+

SPECS/iptables.spec

@@ -17,7 +17,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: http://www.netfilter.org/projects/iptables
 Version: 1.8.4
-Release: 17%{?dist}
+Release: 17%{?dist}.1
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -77,6 +77,7 @@ Patch40: 0040-extensions-libxt_CT-add-translation-for-NOTRACK.patch
 Patch41: 0041-nft-Fix-command-name-in-ip6tables-error-message.patch
 Patch42: 0042-tests-shell-Merge-and-extend-return-codes-test.patch
 Patch43: 0043-extensions-dccp-Fix-for-DCCP-type-INVALID.patch
+Patch44: 0044-nft-cache-Retry-if-kernel-returns-EINTR.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@@ -485,6 +486,9 @@ done
 %doc %{_mandir}/man8/ebtables*.8*
 
 %changelog
+* Wed Aug 04 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-17.1
+- nft: cache: Retry if kernel returns EINTR
+
 * Thu Dec 10 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-17
 - extensions: dccp: Fix for DCCP type 'INVALID'
 - tests: shell: Merge and extend return codes test