+1 for a backport, I don't think 1.6.2 is suitable for an SRU,
specifically about one change I noticed with test packages that I think
can break existing firewall scripts.
The locking code is shared between tools, so in 1.6.2, not only do we
get iptables-{save,restore} with -w support, but iptables itself changes
behavior.
When a lock is held, this is the current behavior in bionic:
root@b1-iptables-restore-wait-lock:~# time iptables -L
Another app is currently holding the xtables lock; still -9s 0us time ahead to
have a chance to grab the lock...
Another app is currently holding the xtables lock; still -19s 0us time ahead to
have a chance to grab the lock...
Another app is currently holding the xtables lock; still -29s 0us time ahead to
have a chance to grab the lock...
Two things:
- there is an implied -w with no value, meaning infinite wait. Perhaps
surprising, perhaps not.
- the time countdown is negative (bug)
In 1.6.2 and later, we have:
root@b1-iptables-restore-wait-lock:~# time iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the
-w option?
real 0m0.003s
Focal:
root@f1:~# time iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the
-w option?
real 0m0.003s
user 0m0.004s
sys 0m0.000s
root@f1:~# iptables --version
iptables v1.8.4 (legacy)
It exits immediately. I can see this breaking existing firewall scripts that
were up to now relying on the lock even without knowing it. They would be
working with the bionic version, perhaps hitting the lock a few times, but with
the updated version, as soon as the lock is hit, iptables exits. This means the
script would have to be changed to add -w [n] to all iptables invocations, and
I think that's unexpected for an update to an LTS release.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1791958
Title:
iptables-restore is missing -w option
Status in iptables package in Ubuntu:
Confirmed
Bug description:
For CRIU we need to have iptables version 1.6.2 which includes the
'-w' option in iptables-restore.
This is a request to update iptables to 1.6.2 in 18.10 and if possible
backport the necessary changes to 18.04.
The CRIU project gets right now many bug reports (mostly in the
combination LXD + CRIU) due to the missing '-w' option in iptables-
restore. Especially as 18.04 will be around for some time it would be
good to have iptables-restore available with '-w'.
This is one example bug report: https://github.com/checkpoint-
restore/criu/issues/551
But not only CRIU would benefit from this change. It seems also
problematic with Kubernetes:
https://github.com/kubernetes/kubernetes/pull/60978
So if possible, please update iptables to 1.6.2 (or backport changes)
to support -w in iptables-restore.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
