diff options
author | Narayan Kamath <narayan@google.com> | 2017-01-06 19:14:03 +0000 |
---|---|---|
committer | Narayan Kamath <narayan@google.com> | 2017-01-23 13:25:10 +0000 |
commit | d2a1e52615058ef55b65db02aa5e4ad21b635ef0 (patch) | |
tree | 2867e9a1db9cdefc87350cc09015c00579312118 /iptables/iptables-restore.c | |
parent | ab2b45c96572c15c3bcb4a6ae81449312f4800bf (diff) | |
download | platform_external_iptables-d2a1e52615058ef55b65db02aa5e4ad21b635ef0.tar.gz platform_external_iptables-d2a1e52615058ef55b65db02aa5e4ad21b635ef0.tar.bz2 platform_external_iptables-d2a1e52615058ef55b65db02aa5e4ad21b635ef0.zip |
iptables: Change locking semantics.
Instead of acquiring a lock before we parse any commands and
holding on to it until the process terminates, we now acquire
the lock when a new table handle is created (on encountering
'*') and release the lock when the table is committed
(COMMIT). The "-w" option continues to apply.
Note that support for -w in iptables[6]-restore has not been
sent upstream yet, so this patch should be sent at the same time
as that one.
Bug: 32323979
Test: manual
Signed-off-by: Narayan Kamath <narayan@google.com>
Change-Id: I10094290eff834e076bb03d53e40eae9b96c1fae
Diffstat (limited to 'iptables/iptables-restore.c')
-rw-r--r-- | iptables/iptables-restore.c | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c index 4d49b3c9..a41a46d3 100644 --- a/iptables/iptables-restore.c +++ b/iptables/iptables-restore.c @@ -185,7 +185,7 @@ iptables_restore_main(int argc, char *argv[]) { struct xtc_handle *handle = NULL; char buffer[10240]; - int c; + int c, lock; char curtable[XT_TABLE_MAXNAMELEN + 1]; FILE *in; int in_table = 0, testing = 0; @@ -193,6 +193,7 @@ iptables_restore_main(int argc, char *argv[]) const struct xtc_ops *ops = &iptc_ops; line = 0; + lock = XT_LOCK_NOT_ACQUIRED; iptables_globals.program_name = "iptables-restore"; c = xtables_init_all(&iptables_globals, NFPROTO_IPV4); @@ -254,12 +255,6 @@ iptables_restore_main(int argc, char *argv[]) } else in = stdin; - if (!xtables_lock(wait)) { - fprintf(stderr, "Another app is currently holding the xtables lock. " - "Perhaps you want to use the -w option?\n"); - exit(RESOURCE_PROBLEM); - } - /* Grab standard input. */ while (fgets(buffer, sizeof(buffer), in)) { int ret = 0; @@ -283,8 +278,21 @@ iptables_restore_main(int argc, char *argv[]) DEBUGP("Not calling commit, testing\n"); ret = 1; } + + /* Release the lock since we're done with the current table. */ + if (lock >= 0) { + xtables_unlock(lock); + } in_table = 0; } else if ((buffer[0] == '*') && (!in_table)) { + /* Acquire a lock before we create a new table handle */ + lock = xtables_lock(wait); + if (lock == XT_LOCK_BUSY) { + fprintf(stderr, "Another app is currently holding the xtables lock. " + "Perhaps you want to use the -w option?\n"); + exit(RESOURCE_PROBLEM); + } + /* New table */ char *table; |