From 871c18f3579af7d1f8c35030a6c0b67db2d057a5 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Wed, 28 Mar 2018 16:47:31 +0200
Subject: [iptables-helper] Better locking to prevent races

Better... not good
Closes #3349
---
 .../etc/systemd/system/openslx-iptables.service    |  1 +
 .../opt/openslx/iptables/iptables-reloader-worker  | 33 ++++++++++++----------
 2 files changed, 19 insertions(+), 15 deletions(-)

(limited to 'core/modules/iptables-helper')

diff --git a/core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service b/core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service
index ef88cf69..59e8eabe 100644
--- a/core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service
+++ b/core/modules/iptables-helper/data/etc/systemd/system/openslx-iptables.service
@@ -3,4 +3,5 @@ Description=OpenSLX iptables helper
 
 [Service]
 ExecStart=/opt/openslx/iptables/iptables-reloader
+Restart=on-failure
 
diff --git a/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker
index 4ee3ac8a..0c8277a2 100755
--- a/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker
+++ b/core/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker
@@ -8,18 +8,19 @@
 
 ALL_RULES="/run/iptables-reloader.cache"
 LOCK="/run/iptables-reloader.lock"
+WAIT="/run/iptables-reloader.wait"
 
-# Expects $1 to be the contents of $LOCK
+# Expects $1 to be the PID/ID
 reload_rules () {
-	if [ -z "$1" -o ! -s "$LOCK" ]; then
-		echo "'$1' empty or lock non-existent"
-		exit 0
-	fi
 	sleep 2
-	if [ "x$(cat "$LOCK")" != "x$1" ]; then
-		echo "Wrong lock, lost race"
-		exit 0
-	fi
+	ctr=0
+	while ! mkdir "$WAIT" &> /dev/null && [ "$ctr" -lt 5 ]; do
+		echo "$1 WAITLOOP"
+		sleep 1
+		ctr=$(( ctr + 1 ))
+	done
+	rm -rf -- "$LOCK"
+	echo "$1 RUN"
 
 	rm -f -- "${ALL_RULES}.new"
 
@@ -30,7 +31,8 @@ reload_rules () {
 
 	# No change? Do nothing...
 	if [ -s "${ALL_RULES}" ] && [ -s "${ALL_RULES}.new" ] && diff "${ALL_RULES}" "${ALL_RULES}.new"; then
-		rm -f -- "${ALL_RULES}.new"
+		echo "$1 NOCHANGE"
+		rm -rf -- "${ALL_RULES}.new" "$WAIT"
 		exit 0
 	fi
 
@@ -102,14 +104,15 @@ reload_rules () {
 	mv -f -- "${ALL_RULES}.new" "${ALL_RULES}"
 
 	echo "iptables rules successfully updated."
-	rm -f -- "$LOCK"
+	rm -rf -- "$WAIT"
+	echo "$1 DONE"
 	exit 0
 }
 
-
-ID="$$+$RANDOM"
-echo "$ID" > "$LOCK"
-reload_rules "$ID" &
+echo "$$ INOTIFY"
+if mkdir "$LOCK" &> /dev/null; then
+	reload_rules "$$" &
+fi
 
 exit 0
 
-- 
cgit v1.2.3-55-g7522