On Mon, 19.01.15 19:09, Pablo Neira Ayuso (pablo@xxxxxxxxxxxxx) wrote: > Abstract unix sockets cannot be used to synchronize several concurrent > instances of iptables since an unpriviledged process can create them and > prevent the legitimate iptables instance from running. > > Use flock() and /run instead as suggested by Lennart Poettering. Looks OK. Of course, it's a bit nasty to do the sleep() loop, but there is no time-limited version of flock(), hence doing the sleep() loop is kinda necessary, unless one wants to use SIGARLM, but that's awful to do without races... Hence, looks OK to me. A minor optimization might be to move the lock file into its own subdir /run/iptables/ or so, but it's OK if you don't. Lennart -- Lennart Poettering, Red Hat -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
