diff --git a/SOURCES/0044-nft-cache-Retry-if-kernel-returns-EINTR.patch b/SOURCES/0044-nft-cache-Retry-if-kernel-returns-EINTR.patch new file mode 100644 index 0000000..b9fae4a --- /dev/null +++ b/SOURCES/0044-nft-cache-Retry-if-kernel-returns-EINTR.patch @@ -0,0 +1,77 @@ +From 49b00c1d89ab0f0b1a2ebf5bb9207311e8ea164e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 4 Aug 2021 17:14:05 +0200 +Subject: [PATCH] nft: cache: Retry if kernel returns EINTR + +In case of parallel ruleset updates, recvfrom() calls may return EINTR. +Due to the fact that cache fetches may get triggered while iterating +over cache elements, __nft_build_cache must not restart based on +comparing before and after generation ID like upstream does. Instead, +just retry the recvfrom() calls until they either succeed or return a +different error than EINTR. +--- + iptables/nft-cache.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c +index 9623b463f0dd5..699dc66a95cd1 100644 +--- a/iptables/nft-cache.c ++++ b/iptables/nft-cache.c +@@ -98,9 +98,12 @@ static int fetch_table_cache(struct nft_handle *h) + nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, h->family, + NLM_F_DUMP, h->seq); + ++retry: + ret = mnl_talk(h, nlh, nftnl_table_list_cb, list); +- if (ret < 0 && errno == EINTR) ++ if (ret < 0 && errno == EINTR) { + assert(nft_restart(h) >= 0); ++ goto retry; ++ } + + h->cache->tables = list; + +@@ -275,10 +278,11 @@ static int fetch_set_cache(struct nft_handle *h, + NLM_F_DUMP, h->seq); + } + ++retry: + ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d); + if (ret < 0 && errno == EINTR) { + assert(nft_restart(h) >= 0); +- return ret; ++ goto retry; + } + + if (t && set) { +@@ -355,9 +359,12 @@ static int fetch_chain_cache(struct nft_handle *h, + h->seq); + } + ++retry: + ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d); +- if (ret < 0 && errno == EINTR) ++ if (ret < 0 && errno == EINTR) { + assert(nft_restart(h) >= 0); ++ goto retry; ++ } + + return ret; + } +@@ -404,9 +411,12 @@ static int nft_rule_list_update(struct nftnl_chain *c, void *data) + NLM_F_DUMP, h->seq); + nftnl_rule_nlmsg_build_payload(nlh, rule); + ++retry: + ret = mnl_talk(h, nlh, nftnl_rule_list_cb, c); +- if (ret < 0 && errno == EINTR) ++ if (ret < 0 && errno == EINTR) { + assert(nft_restart(h) >= 0); ++ goto retry; ++ } + + nftnl_rule_free(rule); + +-- +2.32.0 + diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index 87f721b..12289e4 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -17,7 +17,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables Version: 1.8.4 -Release: 17%{?dist} +Release: 17%{?dist}.1 Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -77,6 +77,7 @@ Patch40: 0040-extensions-libxt_CT-add-translation-for-NOTRACK.patch Patch41: 0041-nft-Fix-command-name-in-ip6tables-error-message.patch Patch42: 0042-tests-shell-Merge-and-extend-return-codes-test.patch Patch43: 0043-extensions-dccp-Fix-for-DCCP-type-INVALID.patch +Patch44: 0044-nft-cache-Retry-if-kernel-returns-EINTR.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -485,6 +486,9 @@ done %doc %{_mandir}/man8/ebtables*.8* %changelog +* Wed Aug 04 2021 Phil Sutter - 1.8.4-17.1 +- nft: cache: Retry if kernel returns EINTR + * Thu Dec 10 2020 Phil Sutter - 1.8.4-17 - extensions: dccp: Fix for DCCP type 'INVALID' - tests: shell: Merge and extend return codes test