Shorewall devel - Nov 2007 - Lame iptables EAGAIN handling

Today I discovered that if the netfilter syscalls should fail to
acquire a lock (because something else is making a netfilter syscall
at that particular moment), then they return EAGAIN to userspace. When
this happens, iptables simply exits, rather than retrying the syscall
(like you would normally expect from EAGAIN).

iptables always returns an exit code of 4 when this happens, and only
when this happens. It would be nice if shorewall would immediately
retry the iptables invocation rather than bailing out, as it''ll
probably succeed. This should be a trivial modification to
run_iptables.

Since netfilter syscalls are very fast to complete (as syscalls go),
this problem should be extremely infrequent, but it''s annoying when a
firewall fails to reboot cleanly for such a silly reason.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Andrew Suffield wrote:
> iptables always returns an exit code of 4 when this happens, and only
> when this happens. It would be nice if shorewall would immediately
> retry the iptables invocation rather than bailing out, as it''ll
> probably succeed. This should be a trivial modification to
> run_iptables.
It''s a trivial change to run_iptables -- it''s not so trivial
in all of the
other places where iptables gets executed. Will have to wait until 4.0.7
since 4.0.6 is just about fully cooked.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/