Your message dated Thu, 15 Nov 2018 11:51:02 +0000
with message-id <[email protected]>
and subject line Bug#816087: fixed in iptables 1.8.2-1
has caused the Debian Bug report #816087,
regarding iptables is racy by default when used in scripts
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
816087: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816087
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: iptables
Version: 1.4.21-2+b1
Severity: important
Hi,
So, somewhere between Wheezy and Jessie, iptables starting using locking
to avoid racy updates to the kernel state, which means the command line
tool will now sometimes fail with:
"Another app is currently holding the xtables lock."
Which is good, except that means the command line tool itself has now
introduced race conditions which scripts calling it repeatedly can lose
unless they explicitly pass the -w option to wait for the lock.
The problem seems to be that iptables itself will return before the
xtables lock has been released, so a script calling it multiple times
is prone to fail somewhere in the middle of what it is doing ...
This has been reported and worked around elsewhere, in bugs like:
https://bugs.debian.org/780238
But given that I've only just started to see the problem here in
scripts of our own, I suspect it is far more widespread and things
are failing for far more people in far more places now, possibly
with rather undesirable results. So it seems like something more
needs to be done to grease the wheels of this transition ...
I'm inclined to think -w should actually be the default, though I
understand that could have the undesirable side effect of deadlocking
in some pathological use cases ... but at the very least it seems
like the iptables command shouldn't return to the caller until the
lock is really released. Which would least make it safe(r) for an
existing single threaded script to call it repeatedly without needing
modification (though it could still get nuked by some other caller
running a command that takes the xtables lock) ...
I'm sure there's more to this than I currently know, so I'll stop
speculating on solutions there until there's some feedback on why
the current behaviour exists. But I do think this needs to be
either far more widely advertised as an incompatible and dangerous
change, or mitigated in some better way that doesn't make things
which were working in Wheezy gain a new and subtle failure mode
for Jessie and later releases.
Cheers,
Ron
--- End Message ---
--- Begin Message ---
Source: iptables
Source-Version: 1.8.2-1
We believe that the bug you reported is fixed in the latest version of
iptables, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arturo Borrero Gonzalez <[email protected]> (supplier of updated iptables
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 15 Nov 2018 12:33:36 +0100
Source: iptables
Binary: iptables iptables-dev libxtables12 libxtables-dev libiptc0 libiptc-dev
libip4tc0 libip4tc-dev libip6tc0 libip6tc-dev
Architecture: source
Version: 1.8.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Netfilter Packaging Team
<[email protected]>
Changed-By: Arturo Borrero Gonzalez <[email protected]>
Description:
iptables - administration tools for packet filtering and NAT
iptables-dev - transitional dummy package
libip4tc-dev - Development files for libip4tc
libip4tc0 - netfilter libip4tc library
libip6tc-dev - Development files for libip6tc
libip6tc0 - netfilter libip6tc library
libiptc-dev - Development files for libiptc
libiptc0 - netfilter libiptc library
libxtables-dev - netfilter xtables library -- development files
libxtables12 - netfilter xtables library
Closes: 816087 911899 912607 912610 912981 913088 913114 913742
Changes:
iptables (1.8.2-1) unstable; urgency=medium
.
* This upstream release closes several bugs:
Closes: #913742
Closes: #913114
Closes: #816087
Closes: #913088
Closes: #912607
Closes: #912610
* [0309474] New upstream version 1.8.2
* [5d3a638] d/t/control: replace compat names with nft ones
* [31d2d6e] d/NEWS: fix typos (Closes: #912981)
* [b24cf92] iptables: don't ship paths served by update-alternatives
(Closes: #911899)
* [f5ec47b] d/patches: cherry-pick
format-security_fixes_in_libip[6]t_icmp.patch
* [2017f99] d/libxtables12.symbols: add new symbols
Checksums-Sha1:
9bcfcdd9f0979d0db68caa4942dac4919b58b913 2699 iptables_1.8.2-1.dsc
215c4ef4c6cd29ef0dd265b4fa5ec51a4f930c92 679858 iptables_1.8.2.orig.tar.bz2
4fc5f0f79a1b1c5b1a231a5a4da2c36e3ea2f848 64348 iptables_1.8.2-1.debian.tar.xz
1970a72fd294c8f9826f0e7231d799c188b75f02 9036 iptables_1.8.2-1_amd64.buildinfo
Checksums-Sha256:
24d39c7cd9e9536c7e65b76c7e283d109684c4f25c9eefbc22be581a342f4cc9 2699
iptables_1.8.2-1.dsc
a3778b50ed1a3256f9ca975de82c2204e508001fc2471238c8c97f3d1c4c12af 679858
iptables_1.8.2.orig.tar.bz2
52eca8f1ea202addf1c53b77110031155cdc661abe72ba7400b6b6c0914d9044 64348
iptables_1.8.2-1.debian.tar.xz
84b1a46d35503ec0b35e33aed7c5c0767007885757bdb7c1ba0bf30825e2e570 9036
iptables_1.8.2-1_amd64.buildinfo
Files:
af84c8d6866471a46b1e9a8ea67c0204 2699 net important iptables_1.8.2-1.dsc
944558e88ddcc3b9b0d9550070fa3599 679858 net important
iptables_1.8.2.orig.tar.bz2
01ce00c6a90f4683fde2447947a00de4 64348 net important
iptables_1.8.2-1.debian.tar.xz
0b6c0a4c65796c6067dc46f79e371d8f 9036 net important
iptables_1.8.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3ZhhqyPcMzOJLgepaOcTmB0VFfgFAlvtWgkACgkQaOcTmB0V
Ffh8dQ//f0jy2uG/nDt74GuHC4nT92YgDv/Ouu6TqpWJoElJbGW0gm6FblXrUNOC
uMqlWhD7Pa+UgmRCW0d8OYv3sc1l20kpixjNAD1yweWOHkLP4lcrh5wnOJh2RH0k
cW15DeIv6vGWb5oMiarM7jBd9h48X4Yz1Ko3pn86VIO5VDsO5tKpgkEscDc9Wz29
VOiY2zrggG7aDZFNMUYuJgCjUU0Uoyx/bv+vyeTd88wmjF+jlKY9fJORxXdiNzRv
phMxzpooVm4oYbk68/ric6l5uAB/alNgwCnH3acEeCupiSuUYtShOsmqRD26lraq
F87Lm6+mQ1Oz1dGw2L6DtBUBDGbzR7NGUgfCu/24BodJZfx/ldkyPLjyXy3aiu31
eSIt4YhiyCfY8u/lHJEdMh4HmGJmSRgU7+kwyhF715EJIydCQ5JzFAS3DOiVWPGU
nkUHuiO/4C2NRt1HePTo8Vcju1bSlz5ZfEd0y84hHxzwcr7/fSMJLvzmGM9R1qkw
uNpzXlvc5XSFEB2xZbKmISKwTPDZf6gY4pn39UZgm9LUHafbrtFPJlPpqngCdeLB
Au136CXCbO4Qz3mfJqCYF+M7RsuIaGCtvTaW4WZIqShP/14dvgfSMUNP0RlIhys0
vmk5p+/K4JaztbNwwEeAbZXQFkFG0kaBJ7LM4455vx3onUQMQI0=
=zTdU
-----END PGP SIGNATURE-----
--- End Message ---
