<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Regression: iptables lock is now waited for without --wait"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1728">1728</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Regression: iptables lock is now waited for without --wait

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>iptables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>1.8.x

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>x86_64

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>unknown

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>netfilter-buglog@lists.netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>howardjohn@google.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Iptables 1.8.8 contains a (seemingly) unexpected behavioral change in the lock

waiting logic. This was introduced in commit

07e2107ef0cbc1b81864c3c0f0ef297a9dfff44d, "xshared: Implement xtables lock

timeout using signals".

Prior to this commit, without --wait the command would exit immediately if the

lock could not be acquired. After this commit, the command will wait

indefinitely for the lock if --wait is not set.

This can be demonstrated by intentionally taking the lock and running various

iptables commands against it.

For all cases I run: sudo flock /run/xtables.lock sleep 10 &

followed by a random iptables command (sudo ./iptables/xtables-legacy-multi

iptables -t nat -A blah).

On iptables from the HEAD of master (f5cf76626d95d2c491a80288bccc160c53b44e88),

the command waits 10s

On iptables 1.8.7, the command fails immediately with "Another app is currently

holding the xtables lock".

On master with 07e2107ef0cbc1b81864c3c0f0ef297a9dfff44d reverted, the command

fails immediately as well.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>