Re: How do packages that modify iptables rules prevent race conditions?

To: debian-user@lists.debian.org
Subject: Re: How do packages that modify iptables rules prevent race conditions?
From: Sven Hartge <sven@svenhartge.de>
Date: Thu, 12 Nov 2015 19:35:06 +0100
Message-id: <[🔎] 17c35avi5s1v8@mids.svenhartge.de>
References: <[🔎] 56449847.1080401@whonix.org> <[🔎] 16c34qqm5s1v8@mids.svenhartge.de> <[🔎] 56449FED.7000400@whonix.org>

Patrick Schleizer <patrick-mailinglists@whonix.org> wrote:

> as I just learned on the mailing list, that at least the packages
> fail2ban and miniupnpd [and most likely arno-iptables-firewall also]
> modify iptables rules...

> Is there a chance for race conditions? I.e. two packages trying to add
> iptables rules at the same time and thereby failing to do so?

fail2ban und miniupnpd create their own chains and a rule to jump to
that personal chain on startup. Subsequent rules are only ever added to
that personal chain. This effectivly avoids any race with different
rules inserted at different places of the ruleset.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

Reply to:

References:
- Are there packages that modify iptables rules?
  - From: Patrick Schleizer <patrick-mailinglists@whonix.org>
- Re: Are there packages that modify iptables rules?
  - From: Sven Hartge <sven@svenhartge.de>
- How do packages that modify iptables rules prevent race conditions?
  - From: Patrick Schleizer <patrick-mailinglists@whonix.org>

Prev by Date: Re: Ransomware meets Linux - on the command line!
Next by Date: Re: How do packages that modify iptables rules prevent race conditions?
Previous by thread: Re: How do packages that modify iptables rules prevent race conditions?
Next by thread: Re: How do packages that modify iptables rules prevent race conditions?
Index(es):
- Date
- Thread