Re: How do packages that modify iptables rules prevent race conditions?

[Erwan David <erwan@rail.eu.org>]

Le 12/11/2015 20:47, Pascal Hambourg a écrit :
> Patrick Schleizer a écrit :
>> as I just learned on the mailing list, that at least the packages
>> fail2ban and miniupnpd [and most likely arno-iptables-firewall also]
>> modify iptables rules...
> Firewall managers such as ufw, shorewall, firestarter...
> Custom iptables scripts.
> IDS such as portsentry.
> "Port knocking" daemons such as knockd.
>
>> Is there a chance for race conditions?
> Plenty.
>
>> I.e. two packages trying to add
>> iptables rules at the same time and thereby failing to do so?
> Yes, or mixing up their rules resulting in unpredictable results.
>
>> What is the proper mechanism to add iptables rules [for packages] to
>> avoid such race conditions?
>>
>> Is using 'iptables --wait' sufficient or something else?
> No it's not. You must also make sure that the rules created by each
> program don't disrupt the rules created by the others.
>
>

For fail2ban I prefer to use ipset and only modify the blocked set
without changing the rules themselves