Add iptables lock support and iptables_ext configuration options#107
Open
LaakkonenJussi wants to merge 13 commits intosailfishos:masterfrom
Open
Add iptables lock support and iptables_ext configuration options#107LaakkonenJussi wants to merge 13 commits intosailfishos:masterfrom
LaakkonenJussi wants to merge 13 commits intosailfishos:masterfrom
Conversation
LaakkonenJussi
commented
Jul 2, 2025
keto
reviewed
Jul 3, 2025
LaakkonenJussi
force-pushed
the
jb63544
branch
2 times, most recently
from
35ea997 to
5aacd0f
Compare
LaakkonenJussi
changed the title
Add an "IptablesPrefixesToExclude" option to be used with Sailfish Iptables extension to define the prefixes that are to be excluded from table/chain/rule parsing.
Use the prefixes defined with IptablesPrefixesToExclude in configuration to exclude the targets, chains and rules that have them. Those are to be added by the component to which they belong and ConnMan should not take part on restoring them, since the targets may not have been setup yet, causing errors and maybe propagates to other bigger failures.
Add a boolean option to set sailfish iptables extension to runtime (no save or restore) mode, by default the runtime mode is off and iptables is saved and restored on boot. This is for the cases where ConnMan is not meant to save or restore iptables because of other components are also utilizing iptables.
When IptablesExtRuntimeOnly is set to true skip save and restore of iptables.
[util] Add file lock and unlock functions. JB#63544 Add functions to lock and unlock a file. Simply use flock to gain exclusive lock when locking is requested. If locking fails return -ENOLCK.
[build] Add XT_LOCK_NAME to XTABLES build options. JB#63544 Define the xtables.lock with runstatedir and use it with build. Enable this only when XTABLES is defined.
[iptables] Use util file locking when setting iptables rules. JB#63544 Utilize file locking in util before calling setsockopt. Release the lock always. Cleanup iptables_replace() code.
…JB#63544 When calling iptc_commit() use the file locking in util to wait for other processes that access iptables.
LaakkonenJussi
force-pushed
the
jb63544
branch
from
a748a42 to
5bed1dd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Use the xtables.lock with
flock()to wait until other component has finished with iptables. This may happen if there are multiple components accessing iptables, which might result in a failure and misconfigured iptables.Add two options for iptables extension: