From: Stefan Hanreich <s.hanreich@proxmox.com>
To: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>,
"Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Subject: Re: [pve-devel] [PATCH proxmox-firewall 1/1] service: flush firewall rules on force disable
Date: Thu, 4 Jul 2024 14:06:52 +0200 [thread overview]
Message-ID: <c4425b9f-2e7e-4d83-bd14-9bfbab6cd35e@proxmox.com> (raw)
In-Reply-To: <172009015103.180658.17528931406427687616@yuna.proxmox.com>
On 7/4/24 12:49, Fabian Grünbichler wrote:
> so if I understand this correctly, it should handle the following case:
>
> proxmox-firewall runs and sets up NFT rules
> user disables NFT
> pve-firewall runs and sets up legacy rules and force disable file
> proxmox-firewall runs and disables NFT rules
>
> as opposed to the following sequence
>
> proxmox-firewall runs and sets up NFT rules
> user disables NFT
> proxmox-firewall runs and disables NFT rules
> pve-firewall runs and sets up legacy rules and force disable file
>
> which is already handled..
correct
> I don't see why the first cast should "almost never happen", just because the
> loops have a different period - it all comes down to alignment of the periods
> and timing of the user action?
>
> in other words, you have a sequence
>
> 0: N
> 5: N
> 5+X: L
> 10: N
> 15: N
> 15+X: L
> 20: N
> 25: N
> 25+X: L
>
> where the gap between N and N is 5 seconds, and the gap between N and L and L
> and N together is also 5 seconds. on average (assuming random alignment of the
> periods), there's an X=2.5s window (out of 10) that the user action must hit to
> trigger the issue (in the gap between L and N, since X can be between 0 and
> 5s)?
>
> FWIW, the change itself looks good to me, but the commit message might need
> some adaptation ;)
You're correct, the reasoning in the commit message is wrong or at least
badly worded and I'll try to improve upon that in a v2. I guess it might
even be unnecessary to mention how often / rarely this can happen and
focus more on describing the race condition itself.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-07-04 12:07 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-29 13:25 Stefan Hanreich
2024-07-04 10:49 ` Fabian Grünbichler
2024-07-04 12:06 ` Stefan Hanreich [this message]
2024-07-04 12:37 ` Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c4425b9f-2e7e-4d83-bd14-9bfbab6cd35e@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.