Package: bastille Version: 1:3.0.9-13 Tags: patch I attach a patch of bastille-firewall that solves the issue of lock-file, by reforming the way it is used. I have tested it with bastille 1:3.0.9-12 on my ubuntu machine and the modified version works as expected.
As a side note, during testing I was able to manually (from my command prompt) request up to five runs of the script before the first instance finished. Thus, independently of the acceptance or not of this patch, the protection of firewall script from concurrent execution should be addressed. regards George Zarkadas
--- a/bastille-3.0.9/bastille-firewall
+++ b/bastille-3.0.9/bastille-firewall
@@ -60,13 +60,18 @@ clean_exit()
[ ! -d /var/lock ] && mkdir -m 0755 /var/lock
-mkdir -m 0700 ${LOCKDIR} 2>/dev/null
-if [ $? -ne 0 ]; then
- if [ -n "${BASTILLE_FWALL_QUIET_FAIL}" ]; then exit 0; fi
- echo "ERROR: bastille-firewall currently being reset or lock is stuck."
- echo "To un-stick, remove the directory ${LOCKDIR}"
- exit 1
-fi
+# The usage of a lock-file inside a lock-dir plus the rmdir in clean_exit
+# suggests that lock-dir is intended to be shared by multiple bastille
+# components.
+# Thus it would be best to create it unconditionally as its parent, and
+# complain only if start|reload|restart is requested and lock-file existed.
+# But since in those modes we currently simply touch the lock-file, then
+# it is useless that way.
+# Thus, set lock-file while REALSCRIPT is running, to prevent corruption
+# of ipchains/iptables rules chain from concurrent access of multiple
+# REALSCRIPT processes.
+
+[ ! -d ${LOCKDIR} ] && mkdir -m 0700 ${LOCKDIR} 2>/dev/null
if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
# We are using Linux 2.3 or newer; use the netfilter script if available
@@ -80,18 +85,36 @@ if [ ! -x ${REALSCRIPT} ]; then
clean_exit 1
fi
-${REALSCRIPT} "$1"
-bretval=$?
+# This function invokes REALSCRIPT while handling lock-file
+#
+invoke_realscript ()
+{
+ if [ -f ${LOCKFILE} ]; then
+ if [ -n "${BASTILLE_FWALL_QUIET_FAIL}" ]; then exit 0; fi
+ echo "ERROR: bastille-firewall currently running or lock is stuc
+ echo "To un-stick, remove the lock ${LOCKFILE}"
+ exit 1
+ fi
+ touch ${LOCKFILE}
+ ${REALSCRIPT} "$1"
+ bretval=$?
+ rm -f ${LOCKFILE}
+ return $bretval
+}
# Use "subsys" locks to indicate our status
case "$1" in
start|restart|reload)
- if [ $bretval -eq 0 ]; then touch ${LOCKFILE}; fi
- ;;
+ invoke_realscript "$1"
+ clean_exit $?
+ ;;
stop)
- rm -f ${LOCKFILE}
- ;;
+ invoke_realscript "$1"
+ clean_exit $?
+ ;;
+ *)
+ echo "Usage: bastille-firewall {start|stop|restart|reload}" >&2
+ clean_exit 3
+ ;;
esac
-clean_exit $bretval
-
signature.asc
Description: Αυτό το σημείο του μηνύματος είναι ψηφιακά υπογεγραμμένο
