connman Digest, Vol 38, Issue 5

Fri, 14 Dec 2018 12:00:24 -0800 

Send connman mailing list submissions to
        [email protected]

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
        [email protected]

You can reach the person managing the list at
        [email protected]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."


Today's Topics:

   1. [PATCH] iptables: Recover from commit errors. (Jussi Laakkonen)


----------------------------------------------------------------------

Message: 1
Date: Fri, 14 Dec 2018 11:50:29 +0200
From: Jussi Laakkonen <[email protected]>
To: [email protected]
Subject: [PATCH] iptables: Recover from commit errors.
Message-ID: <[email protected]>

This commit changes the error handling in __connman_iptables_commit() if
iptables_replace() fails. In order to be able to use iptables after
committing invalid content it is safest to drop the table content and
make iptable.c re-initialize when new changes are made.

On some systems it may result in a situation where a single failure,
e.g., ELOOP when removing a managed rule that still has rule references,
prevents further changes to iptables. By resetting to previous state in
case of error this can be avoided.
---
 src/iptables.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/iptables.c b/src/iptables.c
index 305a553f..4876d946 100644
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -3745,8 +3745,15 @@ int __connman_iptables_commit(int type, const char 
*table_name)
 
        err = iptables_replace(table, &repl);
 
+       /*
+        * Commit errors are not recoverable, remove table so with next change
+        * the contents for the table is re-initialized. This will make it
+        * possible to ignore the last changes that were invalid and cannot be
+        * committed. Then more commits can be made as the table content is
+        * updated from iptables when next change is done.
+        */
        if (err < 0)
-               goto out_free;
+               goto out_hash_remove;
 
        counters = g_try_malloc0(sizeof(*counters) +
                        sizeof(struct xt_counters) * table->num_entries);
@@ -3782,7 +3789,7 @@ int __connman_iptables_commit(int type, const char 
*table_name)
 
 out_hash_remove:
        hash_table_remove(type, table_name);
-out_free:
+
        if (type == AF_INET && repl.r)
                g_free(repl.r->counters);
 
-- 
2.19.2



------------------------------

Subject: Digest Footer

_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman


------------------------------

End of connman Digest, Vol 38, Issue 5
**************************************

Reply via email to