Is IPset thread-safe?

Question

I'd like to know if adding/removing entries with ipset is thread-safe. For instance, if I have 2 concurrent processes performing these operations

ipset -A myset 1.1.1.1 # process 1's operation
ipset -A myset 2.2.2.2 # process 2's operation

do I need to add a synchronization mechanism that ensures the 2nd process to run waits for the 1st one to complete to avoid somehow corrupting my IPset (e.g., ending up with 1.2.1.2 in my IPset) or is this functionality already provided by ipset?

Thanks!

Answer 1

No - you do not need to add any locking mechanisms in the user-space for this. The kernel module code already has a lock around each set which is write-locked during add and delete operations.

Here is the relevant code from the kernel module of ipset. Notice the write lock & unlock.

static int
call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
        struct nlattr *tb[], enum ipset_adt adt,
        u32 flags, bool use_lineno)
{
        int ret;
        u32 lineno = 0;
        bool eexist = flags & IPSET_FLAG_EXIST, retried = false;

        do {
                write_lock_bh(&set->lock);
                ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
                write_unlock_bh(&set->lock);
                retried = true;