Re: How do packages that modify iptables rules prevent race conditions?
Patrick Schleizer a écrit :
>
> as I just learned on the mailing list, that at least the packages
> fail2ban and miniupnpd [and most likely arno-iptables-firewall also]
> modify iptables rules...
Firewall managers such as ufw, shorewall, firestarter...
Custom iptables scripts.
IDS such as portsentry.
"Port knocking" daemons such as knockd.
> Is there a chance for race conditions?
Plenty.
> I.e. two packages trying to add
> iptables rules at the same time and thereby failing to do so?
Yes, or mixing up their rules resulting in unpredictable results.
> What is the proper mechanism to add iptables rules [for packages] to
> avoid such race conditions?
>
> Is using 'iptables --wait' sufficient or something else?
No it's not. You must also make sure that the rules created by each
program don't disrupt the rules created by the others.
Reply to: