Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables: Resource temporarily unavailable.问题 #9

Open
leon0625 opened this issue Jan 30, 2018 · 1 comment
Open

iptables: Resource temporarily unavailable.问题 #9

leon0625 opened this issue Jan 30, 2018 · 1 comment
Labels
异常

Comments

@leon0625
Copy link
Owner

leon0625 commented Jan 30, 2018
edited
Loading

执行iptables规则时失败,出现错误提示 iptables: Resource temporarily unavailable.

问题

  出现此种怪问题,第一反应就是:“发生了什么?我什么都没改。没道理呀。”
   Resource temporarily unavailable.的错误打印对应错误码EAGAIN,就出叫你出现这个错了在试一遍的意思。我的感觉是,iptables规则作为系统全局共享组件,在设置时,内核肯定会有锁机制来解决并发问题。既然如此,那就写个脚本并发iptables试一试看有问题没。

测试脚本

#!/bin/sh

iptables -t filter -N TESTTTTTTTT1 &
iptables -t filter -N TESTTTTTTTT2 &
iptables -t filter -N TESTTTTTTTT3 &
iptables -t filter -N TESTTTTTTTT4 &
iptables -t filter -N TESTTTTTTTT5 &
iptables -t filter -N TESTTTTTTTT6 &

iptables -t filter -X TESTTTTTTTT1 &
iptables -t filter -X TESTTTTTTTT2 &
iptables -t filter -X TESTTTTTTTT3 &
iptables -t filter -X TESTTTTTTTT4 &
iptables -t filter -X TESTTTTTTTT5 &
iptables -t filter -X TESTTTTTTTT6 &

  脚本很简单,创建链,然后删除链。每条规则都放后台执行,运行几遍就能复现iptables: Resource temporarily unavailable.的问题。
  板子上跑起来有问题,想着虚拟机跑下试试,虚拟机跑也有问题,不过虚拟机会有让加-w参数的提示:

Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

  这里已经很明显的告诉我们,多个进程争夺xtables lock,iptables执行失败,可以通过-w参数来让进程在失败时wait一下。

修改方法

  查看虚拟机里面的iptables版本为1.4.21, 板子里面的iptables版本为1.4.4,然后下载了1.4.21的源码下来

1.4.21的锁机制
  通过创建unix域套接字然后bind来实现,但是我本地测试这段代码却有问题。原因在于:域套接字在进程退出后不会销毁该套接字对应的文件,下次bind就会失败,如果调用unlink来处理,套接字文件又会里面被清掉,bind总是成功,无法起到锁的作用。(所以这里不懂1.4.21这一版的原理究竟是啥)
  想来想去,没什么好办法,又下载了最新的iptables源码

1.6.1的锁机制
  通过flock实现。查了下flock,发现这就是我需要的。flock锁的销毁会随着文件描述符销毁而销毁,所以即便进程意外退出了,也不用担心会有锁残留的问题。于是可以写出iptables应用层加锁的代码来:

void xtables_try_lock(void)
{
    int fd;
    int i = 0;
    int sleep_time_ms = 50;
    int wait_time_sec = 10;
    int wait_cnt = wait_time_sec*1000 / sleep_time_ms;

    fd = open(XT_LOCK_NAME, O_CREAT, 0600);
    if (fd < 0)
        return;

    for(i = 0; i < wait_cnt; i++)
    {
        if(!flock(fd, LOCK_EX | LOCK_NB))
            return;
        usleep(sleep_time_ms * 1000);
    }

    printf("## BUG! Another app is currently holding the xtables lock long time!\n");
    return;
}

  把这个锁放在iptables就ok了。
@ShipeiXu
Copy link

v1.4.21版本使用的是抽象的unix域套接字,不产生实际的文件,在进程关闭后自动消失。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
异常
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ShipeiXu @leon0625