Re: How do packages that modify iptables rules prevent race conditions?
Patrick Schleizer writes:
> I.e. two packages trying to add iptables rules at the same time and
> thereby failing to do so?
They can't do that as each call to iptables locks the table be operated
on. Without -w iptables exits when it can't get the lock. With -w it
waits.
Pascal Hambourg writes:
> Yes, or mixing up their rules resulting in unpredictable results.
Yes, that could happen if the programs call iptables multiple times.
Best that programs that manipulate the tables assemble their changes and
install them all with a single call of iptables. Otherwise you could
have short periods where an unintended ruleset is in effect (or the
program could exit before it completes). Of course, you still might get
surprises if you run two such programs, but why would you do that?
If you have program that bypasses iptables you're on your own.
--
John Hasler
jhasler@newsguy.com
Elmwood, WI USA
Reply to: