[Bug 1791958] Re: iptables-restore is missing -w option

Mon, 28 Jun 2021 11:10:52 -0700 

+1 for a backport, I don't think 1.6.2 is suitable for an SRU,
specifically about one change I noticed with test packages that I think
can break existing firewall scripts.

The locking code is shared between tools, so in 1.6.2, not only do we
get iptables-{save,restore} with -w support, but iptables itself changes
behavior.

When a lock is held, this is the current behavior in bionic:
root@b1-iptables-restore-wait-lock:~# time iptables -L
Another app is currently holding the xtables lock; still -9s 0us time ahead to 
have a chance to grab the lock...
Another app is currently holding the xtables lock; still -19s 0us time ahead to 
have a chance to grab the lock...
Another app is currently holding the xtables lock; still -29s 0us time ahead to 
have a chance to grab the lock...

Two things:
- there is an implied -w with no value, meaning infinite wait. Perhaps 
surprising, perhaps not.
- the time countdown is negative (bug)

In 1.6.2 and later, we have:
root@b1-iptables-restore-wait-lock:~# time iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the 
-w option?

real    0m0.003s

Focal:
root@f1:~# time iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the 
-w option?

real    0m0.003s
user    0m0.004s
sys     0m0.000s
root@f1:~# iptables --version
iptables v1.8.4 (legacy)


It exits immediately. I can see this breaking existing firewall scripts that 
were up to now relying on the lock even without knowing it. They would be 
working with the bionic version, perhaps hitting the lock a few times, but with 
the updated version, as soon as the lock is hit, iptables exits. This means the 
script would have to be changed to add -w [n] to all iptables invocations, and 
I think that's unexpected for an update to an LTS release.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1791958

Title:
  iptables-restore is missing -w option

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to