diff options
| author | Simon Rettberg | 2018-03-28 16:47:31 +0200 |
|---|---|---|
| committer | Simon Rettberg | 2018-03-28 16:47:31 +0200 |
| commit | 871c18f3579af7d1f8c35030a6c0b67db2d057a5 (patch) | |
| tree | 72e87502a775cab64775f528ed1877fa563324fa | |
| parent | [vbox-src] replace old placeholder names (diff) | |
| download | mltk-871c18f3579af7d1f8c35030a6c0b67db2d057a5.tar.gz mltk-871c18f3579af7d1f8c35030a6c0b67db2d057a5.tar.xz mltk-871c18f3579af7d1f8c35030a6c0b67db2d057a5.zip | |
[iptables-helper] Better locking to prevent races
Better... not good
Closes #3349
| -rw-r--r-- | core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service | 1 | ||||
| -rwxr-xr-x | core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker | 33 |
2 files changed, 19 insertions, 15 deletions
diff --git a/core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service b/core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service index ef88cf69..59e8eabe 100644 --- a/core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service +++ b/core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service @@ -3,4 +3,5 @@ Description=OpenSLX iptables helper [Service] ExecStart=/opt/openslx/iptables/iptables-reloader +Restart=on-failure diff --git a/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker index 4ee3ac8a..0c8277a2 100755 --- a/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker +++ b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker @@ -8,18 +8,19 @@ ALL_RULES="/run/iptables-reloader.cache" LOCK="/run/iptables-reloader.lock" +WAIT="/run/iptables-reloader.wait" -# Expects $1 to be the contents of $LOCK +# Expects $1 to be the PID/ID reload_rules () { - if [ -z "$1" -o ! -s "$LOCK" ]; then - echo "'$1' empty or lock non-existent" - exit 0 - fi sleep 2 - if [ "x$(cat "$LOCK")" != "x$1" ]; then - echo "Wrong lock, lost race" - exit 0 - fi + ctr=0 + while ! mkdir "$WAIT" &> /dev/null && [ "$ctr" -lt 5 ]; do + echo "$1 WAITLOOP" + sleep 1 + ctr=$(( ctr + 1 )) + done + rm -rf -- "$LOCK" + echo "$1 RUN" rm -f -- "${ALL_RULES}.new" @@ -30,7 +31,8 @@ reload_rules () { # No change? Do nothing... if [ -s "${ALL_RULES}" ] && [ -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new"; then - rm -f -- "${ALL_RULES}.new" + echo "$1 NOCHANGE" + rm -rf -- "${ALL_RULES}.new" "$WAIT" exit 0 fi @@ -102,14 +104,15 @@ reload_rules () { mv -f -- "${ALL_RULES}.new" "${ALL_RULES}" echo "iptables rules successfully updated." - rm -f -- "$LOCK" + rm -rf -- "$WAIT" + echo "$1 DONE" exit 0 } - -ID="$$+$RANDOM" -echo "$ID" > "$LOCK" -reload_rules "$ID" & +echo "$$ INOTIFY" +if mkdir "$LOCK" &> /dev/null; then + reload_rules "$$" & +fi exit 0 |