iptables: accept lock file name at runtime

allow users to override at runtime the lock file to use through the
XTABLES_LOCKFILE environment variable.

It allows to use iptables when the user has granted enough
capabilities (e.g. a user+network namespace) to configure the network
but that lacks access to the XT_LOCK_NAME (by default placed under
/run).

$ XTABLES_LOCKFILE=/tmp/xtables unshare -rn iptables ...

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/configure.ac b/configure.ac
index 31a8bb261c43717a0d33776c900e001af558adff..d37752a20afd2db216a86c8d82ef8b0eb2aa6ff3 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -219,6 +219,7 @@ AC_SUBST([libxtables_vmajor])
 
 AC_DEFINE_UNQUOTED([XT_LOCK_NAME], "${xt_lock_name}",
        [Location of the iptables lock file])
+AC_SUBST([XT_LOCK_NAME], "${xt_lock_name}")
 
 AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
        iptables/Makefile iptables/xtables.pc

diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index 054564b3df91e1803513cc35afb64bf43373bd20..999cf339845f9a2cf9cc7e1517dc492fe0378d79 100644 (file)
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -397,6 +397,14 @@ corresponding to that rule's position in the chain.
 \fB\-\-modprobe=\fP\fIcommand\fP
 When adding or inserting rules into a chain, use \fIcommand\fP
 to load any necessary modules (targets, match extensions, etc).
+
+.SH LOCK FILE
+iptables uses the \fI@XT_LOCK_NAME@\fP file to take an exclusive lock at
+launch.
+
+The \fBXTABLES_LOCKFILE\fP environment variable can be used to override
+the default setting.
+
 .SH MATCH AND TARGET EXTENSIONS
 .PP
 iptables can use extended packet matching and target modules.

diff --git a/iptables/xshared.c b/iptables/xshared.c
index c1d1371a6d54a84489560af46246e3b304fe29aa..7d97637f7e12937a9da8841dedc9b28bfcb73f47 100644 (file)
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -249,15 +249,20 @@ void xs_init_match(struct xtables_match *match)
 static int xtables_lock(int wait, struct timeval *wait_interval)
 {
        struct timeval time_left, wait_time;
+       const char *lock_file;
        int fd, i = 0;
 
        time_left.tv_sec = wait;
        time_left.tv_usec = 0;
 
-       fd = open(XT_LOCK_NAME, O_CREAT, 0600);
+       lock_file = getenv("XTABLES_LOCKFILE");
+       if (lock_file == NULL || lock_file[0] == '\0')
+               lock_file = XT_LOCK_NAME;
+
+       fd = open(lock_file, O_CREAT, 0600);
        if (fd < 0) {
                fprintf(stderr, "Fatal: can't open lock file %s: %s\n",
-                       XT_LOCK_NAME, strerror(errno));
+                       lock_file, strerror(errno));
                return XT_LOCK_FAILED;
        }
 
@@ -265,7 +270,7 @@ static int xtables_lock(int wait, struct timeval *wait_interval)
                if (flock(fd, LOCK_EX) == 0)
                        return fd;
 
-               fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME,
+               fprintf(stderr, "Can't lock %s: %s\n", lock_file,
                        strerror(errno));
                return XT_LOCK_BUSY;
        }