import iptables-1.8.4-17.el8_4.1
This commit is contained in:
parent
c3f048e40a
commit
28a035574c
77
SOURCES/0044-nft-cache-Retry-if-kernel-returns-EINTR.patch
Normal file
77
SOURCES/0044-nft-cache-Retry-if-kernel-returns-EINTR.patch
Normal file
@ -0,0 +1,77 @@
|
|||||||
|
From 49b00c1d89ab0f0b1a2ebf5bb9207311e8ea164e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 4 Aug 2021 17:14:05 +0200
|
||||||
|
Subject: [PATCH] nft: cache: Retry if kernel returns EINTR
|
||||||
|
|
||||||
|
In case of parallel ruleset updates, recvfrom() calls may return EINTR.
|
||||||
|
Due to the fact that cache fetches may get triggered while iterating
|
||||||
|
over cache elements, __nft_build_cache must not restart based on
|
||||||
|
comparing before and after generation ID like upstream does. Instead,
|
||||||
|
just retry the recvfrom() calls until they either succeed or return a
|
||||||
|
different error than EINTR.
|
||||||
|
---
|
||||||
|
iptables/nft-cache.c | 18 ++++++++++++++----
|
||||||
|
1 file changed, 14 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
|
||||||
|
index 9623b463f0dd5..699dc66a95cd1 100644
|
||||||
|
--- a/iptables/nft-cache.c
|
||||||
|
+++ b/iptables/nft-cache.c
|
||||||
|
@@ -98,9 +98,12 @@ static int fetch_table_cache(struct nft_handle *h)
|
||||||
|
nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, h->family,
|
||||||
|
NLM_F_DUMP, h->seq);
|
||||||
|
|
||||||
|
+retry:
|
||||||
|
ret = mnl_talk(h, nlh, nftnl_table_list_cb, list);
|
||||||
|
- if (ret < 0 && errno == EINTR)
|
||||||
|
+ if (ret < 0 && errno == EINTR) {
|
||||||
|
assert(nft_restart(h) >= 0);
|
||||||
|
+ goto retry;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
h->cache->tables = list;
|
||||||
|
|
||||||
|
@@ -275,10 +278,11 @@ static int fetch_set_cache(struct nft_handle *h,
|
||||||
|
NLM_F_DUMP, h->seq);
|
||||||
|
}
|
||||||
|
|
||||||
|
+retry:
|
||||||
|
ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d);
|
||||||
|
if (ret < 0 && errno == EINTR) {
|
||||||
|
assert(nft_restart(h) >= 0);
|
||||||
|
- return ret;
|
||||||
|
+ goto retry;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (t && set) {
|
||||||
|
@@ -355,9 +359,12 @@ static int fetch_chain_cache(struct nft_handle *h,
|
||||||
|
h->seq);
|
||||||
|
}
|
||||||
|
|
||||||
|
+retry:
|
||||||
|
ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d);
|
||||||
|
- if (ret < 0 && errno == EINTR)
|
||||||
|
+ if (ret < 0 && errno == EINTR) {
|
||||||
|
assert(nft_restart(h) >= 0);
|
||||||
|
+ goto retry;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
@@ -404,9 +411,12 @@ static int nft_rule_list_update(struct nftnl_chain *c, void *data)
|
||||||
|
NLM_F_DUMP, h->seq);
|
||||||
|
nftnl_rule_nlmsg_build_payload(nlh, rule);
|
||||||
|
|
||||||
|
+retry:
|
||||||
|
ret = mnl_talk(h, nlh, nftnl_rule_list_cb, c);
|
||||||
|
- if (ret < 0 && errno == EINTR)
|
||||||
|
+ if (ret < 0 && errno == EINTR) {
|
||||||
|
assert(nft_restart(h) >= 0);
|
||||||
|
+ goto retry;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
nftnl_rule_free(rule);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.32.0
|
||||||
|
|
@ -17,7 +17,7 @@ Name: iptables
|
|||||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||||
URL: http://www.netfilter.org/projects/iptables
|
URL: http://www.netfilter.org/projects/iptables
|
||||||
Version: 1.8.4
|
Version: 1.8.4
|
||||||
Release: 17%{?dist}
|
Release: 17%{?dist}.1
|
||||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||||
Source1: iptables.init
|
Source1: iptables.init
|
||||||
Source2: iptables-config
|
Source2: iptables-config
|
||||||
@ -77,6 +77,7 @@ Patch40: 0040-extensions-libxt_CT-add-translation-for-NOTRACK.patch
|
|||||||
Patch41: 0041-nft-Fix-command-name-in-ip6tables-error-message.patch
|
Patch41: 0041-nft-Fix-command-name-in-ip6tables-error-message.patch
|
||||||
Patch42: 0042-tests-shell-Merge-and-extend-return-codes-test.patch
|
Patch42: 0042-tests-shell-Merge-and-extend-return-codes-test.patch
|
||||||
Patch43: 0043-extensions-dccp-Fix-for-DCCP-type-INVALID.patch
|
Patch43: 0043-extensions-dccp-Fix-for-DCCP-type-INVALID.patch
|
||||||
|
Patch44: 0044-nft-cache-Retry-if-kernel-returns-EINTR.patch
|
||||||
|
|
||||||
# pf.os: ISC license
|
# pf.os: ISC license
|
||||||
# iptables-apply: Artistic Licence 2.0
|
# iptables-apply: Artistic Licence 2.0
|
||||||
@ -485,6 +486,9 @@ done
|
|||||||
%doc %{_mandir}/man8/ebtables*.8*
|
%doc %{_mandir}/man8/ebtables*.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 04 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-17.1
|
||||||
|
- nft: cache: Retry if kernel returns EINTR
|
||||||
|
|
||||||
* Thu Dec 10 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-17
|
* Thu Dec 10 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-17
|
||||||
- extensions: dccp: Fix for DCCP type 'INVALID'
|
- extensions: dccp: Fix for DCCP type 'INVALID'
|
||||||
- tests: shell: Merge and extend return codes test
|
- tests: shell: Merge and extend return codes test
|
||||||
|
Loading…
Reference in New Issue
Block a user