iptables 1.6.1 fails to acquire a lock because /run/ does not exist
Username: Charlemagne Lasse
Origin: https://bugs.openwrt.org/index.php?do=details&task_id=943
Just flashed a device with the current snapshot of LEDE (
https://downloads.lede-project.org/snapshots/targets/ar71xx/generic/
; r4657-bb4d5006). And then I’ve wanted to use locking with iptables but noticed that the lock was just not working:
root@LEDE:/# strace iptables -w -L ... open("/run/xtables.lock", O_RDONLY|O_CREAT|O_LARGEFILE, 0600) = -1 ENOENT (No such file or directory) socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 3 fcntl64(3, F_SETFD, FD_CLOEXEC) = 0 getsockopt(3, SOL_IP, IPT_SO_GET_INFO, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0 ...
The lock was basically ignored and the socket was opened without the lock opened. The package is missing following things:
- change
https://git.netfilter.org/iptables/commit/?id=836846f0d747e1be8e37d2d43b215a68b30ea1a9
- change
https://git.netfilter.org/iptables/commit/?id=b91af533f4da15854893ba5cc082e1df6bcf9a97
- change
https://git.netfilter.org/iptables/commit/?id=80d8bfaac9e2430d710084a10ec78e68bd61e6ec
- iptables Makefile change to add following configure option: –xt-lock-name=/var/lock/xtables.lock
It is not save to use multiple (writing) iptables processes without locking. It is therefore a rather big problem that it is broken at the moment