On Sun, 18.01.15 22:13, Pablo Neira Ayuso (pablo@xxxxxxxxxxxxx) wrote: > Abstract unix sockets cannot be used to synchronize several concurrent > instances of iptables since an unpriviledged process can create them and > prevent the legitimate iptables instance from running. > > This patch introduces a semaphore that is identified by the path to the > iptables binary, it also relies on SEM_UNDO so the kernel performs the > up() operation at process exit to avoid races with signals. This also > avoid file locks that require a writable filesystem. Please, don't use SysV IPC for any new code, it's the worst choice. (the token API is already such a desaster!) The API is awful, and dated. At least use the POSIX APIs instead. I'd really recommend using BSD file locks on a file in /run though, they have the nicest semantics of all, and are supported on Linux since a long time. Lennart -- Lennart Poettering, Red Hat -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
