While testing the SIGHUP handling and reloading of the nwfilter driver, I found that when the filters are rebuilt and mutlipe threads handled the individual interfaces, concurrently running multiple external bash scripts causes strange failures even though the executed ebtables commands are working on different tables for different interfaces. I cannot say for sure where the concurrency problems are caused, but introducing this lock definitely helps. Signed-off-by: Stefan Berger <stefanb@us.ibm.com> --- src/nwfilter/nwfilter_ebiptables_driver.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -104,6 +104,7 @@ static int ebiptablesDriverInit(void); static void ebiptablesDriverShutdown(void); static int ebtablesCleanAll(const char *ifname); +static virMutex execCLIMutex; struct ushort_map { unsigned short attr; @@ -2309,8 +2310,13 @@ ebiptablesExecCLI(virBufferPtr buf, return 1; argv[0] = filename; + + virMutexLock(&execCLIMutex); + rc = virRun(argv, status); + virMutexUnlock(&execCLIMutex); + *status >>= 8; VIR_DEBUG("rc = %d, status = %d",rc, *status); @@ -3163,8 +3169,9 @@ tear_down_tmpebchains: ebiptablesExecCLI(&buf, &cli_status); virNWFilterReportError(VIR_ERR_BUILD_FIREWALL, - "%s", - _("Some rules could not be created.")); + _("Some rules could not be created for " + "interface %s."), + ifname); return 1; } @@ -3364,6 +3371,9 @@ ebiptablesDriverInit(void) virBuffer buf = VIR_BUFFER_INITIALIZER; int cli_status; + if (virMutexInit(&execCLIMutex)) + return EINVAL; + bash_cmd_path = virFindFileInPath("bash"); gawk_cmd_path = virFindFileInPath("gawk"); grep_cmd_path = virFindFileInPath("grep");