Re: How do packages that modify iptables rules prevent race conditions?

[Pascal Hambourg <pascal@plouf.fr.eu.org>]

Patrick Schleizer a écrit :
> 
> as I just learned on the mailing list, that at least the packages
> fail2ban and miniupnpd [and most likely arno-iptables-firewall also]
> modify iptables rules...

Firewall managers such as ufw, shorewall, firestarter...
Custom iptables scripts.
IDS such as portsentry.
"Port knocking" daemons such as knockd.

> Is there a chance for race conditions?

Plenty.

> I.e. two packages trying to add
> iptables rules at the same time and thereby failing to do so?

Yes, or mixing up their rules resulting in unpredictable results.

> What is the proper mechanism to add iptables rules [for packages] to
> avoid such race conditions?
> 
> Is using 'iptables --wait' sufficient or something else?

No it's not. You must also make sure that the rules created by each
program don't disrupt the rules created by the others.