From: Shaun Crampton <shaun@cantab.net>
To: Jan Engelhardt <jengelh@inai.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Concurrent iptables-restore calls clobberring each other
Date: Thu, 9 Feb 2017 14:39:01 +0000 [thread overview]
Message-ID: <CAB3ewxNX=DegAesrqjb8_7q9-ghHcW-Pr7-LAYfqWX+5E9EqvQ@mail.gmail.com> (raw)
In-Reply-To: <CAB3ewxN62EQgdg1LTCyodOA+xA=SibM=khWpjp3ptzTKpBTw0A@mail.gmail.com>
> Is there any protection built into the protocol to prevent concurrent
> writes from clobbering each other?
Ah, I think I see the reason for the behaviour that I'm seeing. It looks
like the kernel does check that the number of entries in the table hasn't
changed since the data was read [1] That explains why the unrelated rule
change in my second script causes the COMMIT to fail.
[1] https://github.com/torvalds/linux/blob/master/net/ipv4/netfilter/ip_tables.c#L1033
On 4 February 2017 at 08:53, Shaun Crampton <shaun@cantab.net> wrote:
>> This is by design; the RMW cycle in principle also affects the "slower"
>> iptables - which is why it is slower, because it does only one rule per cycle.
>
> Thanks for the response. I understand that the RMW is by design. Is there
> any protection built into the protocol to prevent concurrent writes from
> clobbering each other? I thought I'd read that there was a "version"
> on the read
> that let the kernel spot if a write was stale.
>
> My second script acts as if there is; the commits of the "kube" loop
> fail reliably
> rather than clobbering the writes of the "felix" loop. However,
> that's not the case
> for the first script. I'm wondering if there is supposed to be
> protection but it's
> bugged.
prev parent reply other threads:[~2017-02-09 14:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-03 20:37 Concurrent iptables-restore calls clobberring each other Shaun Crampton
2017-02-03 23:47 ` Jan Engelhardt
2017-02-04 8:53 ` Shaun Crampton
2017-02-09 14:39 ` Shaun Crampton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAB3ewxNX=DegAesrqjb8_7q9-ghHcW-Pr7-LAYfqWX+5E9EqvQ@mail.gmail.com' \
--to=shaun@cantab.net \
--cc=jengelh@inai.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.