Skip to content

iptables: add file lock to prevent concurrent overwrite #3327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
xiaoxiang781216 merged 1 commit into from
Jan 15, 2026
Merged

iptables: add file lock to prevent concurrent overwrite #3327

xiaoxiang781216 merged 1 commit into from
Jan 15, 2026

Conversation

@zhhyu7
Copy link
Contributor

@zhhyu7 zhhyu7 commented Jan 14, 2026

Summary

the kernel can only prevent the concurrency of s/getsockopt, but iptables will call these interfaces multiple times at a time. We need to wait for one iptables to complete before executing the second one, otherwise the data will be overwritten.

iptables flow:
get current iptables entries [1] -> add new entry 2 [1,2] -> set to kernel [1,2]
get current iptables entries [1] -> add new entry 3 [1,3] -> set to kernel [1,3]
then, entry 2 is missing.

Impact

iptables

Testing

sim:matter, enable iptables
NuttX test log:

NuttShell (NSH) NuttX-12.12.0
MOTD: username=admin password=Administrator
nsh> iptables -L
Chain INPUT (policy ACCEPT)
target        prot  idev  odev  source              destination        

Chain FORWARD (policy ACCEPT)
target        prot  idev  odev  source              destination        

Chain OUTPUT (policy ACCEPT)
target        prot  idev  odev  source              destination        

nsh> iptables -A INPUT -i eth0 -s 172.16.46.0/24 -d 172.16.46.0/24 -j ACCEPT
nsh> iptables -A INPUT -i eth0 -s 172.16.47.0/24 -d 172.16.47.0/24 -j ACCEPT
nsh> iptables -A INPUT -i eth0 -s 172.16.48.0/24 -d 172.16.48.0/24 -j ACCEPT
nsh> iptables -L
Chain INPUT (policy ACCEPT)
target        prot  idev  odev  source              destination        
ACCEPT        all   eth0  any   172.16.46.0/24      172.16.46.0/24     
ACCEPT        all   eth0  any   172.16.47.0/24      172.16.47.0/24     
ACCEPT        all   eth0  any   172.16.48.0/24      172.16.48.0/24     

Chain FORWARD (policy ACCEPT)
target        prot  idev  odev  source              destination        

Chain OUTPUT (policy ACCEPT)
target        prot  idev  odev  source              destination        

nsh>

@zhhyu7
iptables: add file lock to prevent concurrent overwrite
3303045 
the kernel can only prevent the concurrency of s/getsockopt, but
iptables will call these interfaces multiple times at a time. We
need to wait for one iptables to complete before executing the second
one, otherwise the data will be overwritten.

iptables flow:
get current iptables entries [1] -> add new entry 2 [1,2] -> set to kernel [1,2]
get current iptables entries [1] -> add new entry 3 [1,3] -> set to kernel [1,3]
entry 2 is lost

Signed-off-by: zhanghongyu <zhanghongyu@xiaomi.com>
@xiaoxiang781216 xiaoxiang781216 merged commit 2b0a4a2 into apache:master Jan 15, 2026
40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 approved these changes

@GUIDINGLI GUIDINGLI GUIDINGLI approved these changes

Assignees

No one assigned

Labels

Area: System Size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zhhyu7 @xiaoxiang781216 @GUIDINGLI