How do packages that modify iptables rules prevent race conditions?

To: debian-user@lists.debian.org
Subject: How do packages that modify iptables rules prevent race conditions?
From: Patrick Schleizer <patrick-mailinglists@whonix.org>
Date: Thu, 12 Nov 2015 14:19:25 +0000
Message-id: <[🔎] 56449FED.7000400@whonix.org>
In-reply-to: <[🔎] 16c34qqm5s1v8@mids.svenhartge.de>
References: <[🔎] 56449847.1080401@whonix.org> <[🔎] 16c34qqm5s1v8@mids.svenhartge.de>

Hi,

as I just learned on the mailing list, that at least the packages
fail2ban and miniupnpd [and most likely arno-iptables-firewall also]
modify iptables rules...

Is there a chance for race conditions? I.e. two packages trying to add
iptables rules at the same time and thereby failing to do so?

What is the proper mechanism to add iptables rules [for packages] to
avoid such race conditions?

Is using 'iptables --wait' sufficient or something else?

Cheers,
Patrick

Reply to:

Follow-Ups:
- Re: How do packages that modify iptables rules prevent race conditions?
  - From: John Hasler <jhasler@newsguy.com>
- Re: How do packages that modify iptables rules prevent race conditions?
  - From: Sven Hartge <sven@svenhartge.de>
- Re: How do packages that modify iptables rules prevent race conditions?
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

References:
- Are there packages that modify iptables rules?
  - From: Patrick Schleizer <patrick-mailinglists@whonix.org>
- Re: Are there packages that modify iptables rules?
  - From: Sven Hartge <sven@svenhartge.de>

Prev by Date: Re: Are there packages that modify iptables rules?
Next by Date: Re: soundcard appearing as device, but not working
Previous by thread: Re: Are there packages that modify iptables rules?
Next by thread: Re: How do packages that modify iptables rules prevent race conditions?
Index(es):
- Date
- Thread