Your message dated Thu, 08 Aug 2013 21:04:07 +0000
with message-id <[email protected]>
and subject line Bug#710997: fixed in iptables 1.4.20-1
has caused the Debian Bug report #710997,
regarding iptables calls setsockopt incorrectly
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
710997: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710997
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: iptables
Version: 1.4.18-1
Tags: patch
--
Since time immemorial, iptables has called setsockopt() and treated any
-1 return value as fatal. Any system call can return EAGAIN or
EINPROGRESS (depending on the origins of the API), and good coding
practice requires checking for that and retrying or otherwise handling
it.
In the case of iptables, if multiple processes are calling iptables
concurrently, then it is likely that one of them will fail. I have seen
this with xen, as well as certain firewall configurations where the
firewall rules are added as triggered by interfaces being discovered and
configured.
The attached patch fixes the issue.
lamont
diff -ur x/iptables-1.4.18/libiptc/libiptc.c iptables-1.4.18/libiptc/libiptc.c
--- x/iptables-1.4.18/libiptc/libiptc.c 2013-03-03 14:40:11.000000000 -0700
+++ iptables-1.4.18/libiptc/libiptc.c 2013-06-03 16:03:31.819448019 -0600
@@ -2596,8 +2596,10 @@
}
#endif
- ret = setsockopt(handle->sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
+ do {
+ ret = setsockopt(handle->sockfd, TC_IPPROTO, SO_SET_REPLACE, repl,
sizeof(*repl) + repl->size);
+ } while ( ret < 0 && ( errno == EAGAIN || errno == EINPROGRESS));
if (ret < 0)
goto out_free_newcounters;
@@ -2672,8 +2674,10 @@
}
#endif
- ret = setsockopt(handle->sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
+ do {
+ ret = setsockopt(handle->sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,
newcounters, counterlen);
+ } while ( ret < 0 && ( errno == EAGAIN || errno == EINPROGRESS));
if (ret < 0)
goto out_free_newcounters;
--- End Message ---
--- Begin Message ---
Source: iptables
Source-Version: 1.4.20-1
We believe that the bug you reported is fixed in the latest version of
iptables, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laurence J. Lane <[email protected]> (supplier of updated iptables package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 08 Aug 2013 10:39:54 -0400
Source: iptables
Binary: iptables libxtables10 iptables-dev
Architecture: source amd64
Version: 1.4.20-1
Distribution: unstable
Urgency: low
Maintainer: Laurence J. Lane <[email protected]>
Changed-By: Laurence J. Lane <[email protected]>
Description:
iptables - administration tools for packet filtering and NAT
iptables-dev - iptables development files
libxtables10 - netfilter xtables library
Closes: 710997 718810
Changes:
iptables (1.4.20-1) unstable; urgency=low
.
* New upstream release
* added 0401-state-match-display.patch for the missing state match
display reported by Eugene Berdnikov and fixed by Phil Oester. Thanks.
Closes: #718810
* upstream fix addresses concurrent invocation issues reported by
Lamont Jones. Fixed upstream by Phil Oester and Pablo Neira Ayuso.
Closes: #710997
Checksums-Sha1:
f642c59981a292d196bd40b6a6e83556b594672e 1231 iptables_1.4.20-1.dsc
7219b32657e9f794ff1b5a2476363c59f9c2175c 546864 iptables_1.4.20.orig.tar.bz2
03e3e3acce6774445053bc121f024a4e02129d57 49313 iptables_1.4.20-1.debian.tar.gz
74db79c28684dcfb04e134c47c88431b6e338613 276206 iptables_1.4.20-1_amd64.deb
84a6173d1c4dede5b5922a5a16f70970e24d40c9 62308 libxtables10_1.4.20-1_amd64.deb
645085b9ccb1b081e69c378d3ee2c59c8cca9561 65336 iptables-dev_1.4.20-1_amd64.deb
Checksums-Sha256:
133625f2e5521d511b488c3d09391cfae58ff85d90fc3163c1ed99ab6144968a 1231
iptables_1.4.20-1.dsc
109b8c7ca90b4536bc5de869ae705f6d5efcc0c08ef3003755aad3ed6d2d49ad 546864
iptables_1.4.20.orig.tar.bz2
b796fb92e9faa597d3f63945345790b9ed94c7b0415e036775f9e0c1fc446922 49313
iptables_1.4.20-1.debian.tar.gz
932a8cce9d755ba0eba404272bde352d28acd625e8e8d671238a43173ae91b02 276206
iptables_1.4.20-1_amd64.deb
33babb245184db41a430022c50961b50d90220a23b04bc22b8e122df99b3c6d7 62308
libxtables10_1.4.20-1_amd64.deb
aafd8460692efdbed25c00bee1e37ae57f0ed2455f91448ab6792ffdd9711c97 65336
iptables-dev_1.4.20-1_amd64.deb
Files:
dc7073e731f51386ae91fc83605b31ec 1231 net important iptables_1.4.20-1.dsc
387b92d3efcf4f07fe31c3bf0f1d18f5 546864 net important
iptables_1.4.20.orig.tar.bz2
b5565112db0a3b9a2d786bac7350400f 49313 net important
iptables_1.4.20-1.debian.tar.gz
3494f399a7c6953da6f64fbf1c7c0afe 276206 net important
iptables_1.4.20-1_amd64.deb
62172ceabeb5352222a58805b88acb8f 62308 net important
libxtables10_1.4.20-1_amd64.deb
7bc5a385f2744c8c41958dbcedec490c 65336 devel optional
iptables-dev_1.4.20-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iEYEARECAAYFAlID9vsACgkQxJBkNlXToeku9gCfbLfKF63bGK+OOBdYX97ZNqua
d08AmwScKDUW8f3gqU3yFWf/c7hDA1Lq
=6aDT
-----END PGP SIGNATURE-----
--- End Message ---
