Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp517206pxj; Thu, 13 May 2021 10:10:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzcw1IKRxjXcaK0U80VmuYaGsC80A0cWV90n0vRHAJHn8/4ybOjcO4VOKLIwNt0eyNP2eEc X-Received: by 2002:a05:6402:2064:: with SMTP id bd4mr14968387edb.96.1620925831290; Thu, 13 May 2021 10:10:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620925831; cv=none; d=google.com; s=arc-20160816; b=IaJdZMFhMmSmXmv9E5q0VG8biGXT200ixa3apOS59SE+3ihRc+1PuEnK5f5N3tUOFD Q1Ukm5/Ju1/q7M8X7GTY47xUZWjN2IA7RNQUPM2lTmsjT5PrPy9Kn3CD/wzbinx9yyTp KBfrjnZWzjWQq+EECB6FMq8w+ar1+GtU/Wnp+VtM3W7EETvg4PpqYwt1MrMMKRDHBTr4 HTT7JgzK97YTsg7Nnkhz5/hU132mqcKmf46Dcx7yV/+4A/5mJlMebgJA7O4ZKEKayrkp MVL9ZXrIQnPZKzFL3UL+wtfo6cbAG8/E33M5WHBWYC5wEV5/1Rs4FoICVCAhvgdCmQDf XtrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:mail-followup-to:message-id:subject:cc:to :from:date; bh=xgLn8zdyN58S296DjFMknJwq1FUOME0ImFZPikiZhO8=; b=d2ok3Klc1lEqz/OgRzEwdsAdriaEgNHoUxtjlQkHeTrHaVeNMunW4axjNKss4BnPgN 42PWnfPkVlCXNMKyoTr9wHRlbksb135caGSA6vHKK7a8EdWQc+fk+IxY/wR/RUcQUJRb 8+djN+kDCtPpqDXj0TeJmzX7fokqib63UkwyKUTbwW6tVDHJl76mtJoPMxvSF29gEH7C GgkOX6rGWssjtAP/h2pPsstvrdIWbICj46JMmPKpbAh6Ns4lb2k9zaW4yu24m8ZE1A2o ZE0/dz5sa3mkvMznUCNNhZ9c//oGkhVnjrZAmo5oLTi2WJEIOloURNL62xVsr8AMWwcC Nvyw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dp7si3500523ejc.35.2021.05.13.10.10.05; Thu, 13 May 2021 10:10:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230223AbhEMRJo (ORCPT + 99 others); Thu, 13 May 2021 13:09:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50756 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230151AbhEMRJk (ORCPT ); Thu, 13 May 2021 13:09:40 -0400 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74BC9C06175F; Thu, 13 May 2021 10:08:27 -0700 (PDT) Received: from n0-1 by orbyte.nwl.cc with local (Exim 4.94.2) (envelope-from ) id 1lhEow-00029d-BN; Thu, 13 May 2021 19:08:22 +0200 Date: Thu, 13 May 2021 19:08:22 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: Dexuan Cui , "'netfilter-devel@vger.kernel.org'" , "'netdev@vger.kernel.org'" , Stephen Hemminger , Haiyang Zhang , "'linux-kernel@vger.kernel.org'" Subject: Re: netfilter: iptables-restore: setsockopt(3, SOL_IP, IPT_SO_SET_REPLACE, "security...", ...) return -EAGAIN Message-ID: <20210513170822.GA3673@orbyte.nwl.cc> Mail-Followup-To: Phil Sutter , Pablo Neira Ayuso , Dexuan Cui , "'netfilter-devel@vger.kernel.org'" , "'netdev@vger.kernel.org'" , Stephen Hemminger , Haiyang Zhang , "'linux-kernel@vger.kernel.org'" References: <20210513094047.GA24842@salvia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210513094047.GA24842@salvia> Sender: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Thu, May 13, 2021 at 11:40:47AM +0200, Pablo Neira Ayuso wrote: > On Thu, May 13, 2021 at 06:19:38AM +0000, Dexuan Cui wrote: > > > From: Dexuan Cui > > > Sent: Wednesday, May 12, 2021 11:02 PM > > > > BTW, I found a similar report in 2019: > > > > " > > https://serverfault.com/questions/101022/error-applying-iptables-rules-using-iptables-restore > > I stumbled upon this issue on Ubuntu 18.04. The netfilter-persistent > > service failed randomly on boot while working ok when launched manually. > > Turned out it was conflicting with sshguard service due to systemd trying > > to load everything in parallel. What helped is to setting > > ENABLE_FIREWALL=0 in /etc/default/sshguard and then adding sshguard chain > > and rule manually to /etc/iptables/rules.v4 and /etc/iptables/rules.v6. > > " > > > > The above report provided a workaround. > > There's -w and -W to serialize ruleset updates. You could follow a > similar approach from userspace if you don't use iptables userspace > binary. My guess is the xtables lock is not effective here, so waiting for it probably won't help. Dexuan, concurrent access is avoided in user space using a file-based lock. So if multiple iptables(-restore) processes run in different mount-namespaces, they might miss the other's /run/xtables.lock. Another option would be if libiptc is used instead of calling iptables, but that's more a shot in the dark - I don't know if libiptc doesn't support obtaining the xtables lock. > > I think we need a real fix. > > iptables-nft already fixes this. nftables (and therefore iptables-nft) implement transactional logic in kernel, user space automatically retries if a transaction's commit fails. Cheers, Phil