On 11.11.2010 19:20, Eric Dumazet wrote: > Le jeudi 11 novembre 2010 à 19:03 +0100, Jan Kasprzak a écrit : >> Eric Dumazet wrote: >> : > There probably can be some other iptables commands running >> : > occasionally (automatic blacklisting of some IP addresses, enabling >> : > traffic to authenticated laptops, etc.), but not in the chains I am >> : > trying to modify with my firewall initscript. Can this also be a problem? >> : >> : Yes it is a problem. iptables manipulates the whole table, not a >> : subtree. >> >> So do you suggest I should implement some kind of user-space >> locking, or is the current approach of "retry after 1 sec when it fails" >> OK from the kernel point of view? > > You could implement a user-space locking, if the additional delay of the > "retry after 1 sec" is bothering you ;) Indeed, that's the best solution. The kernel can't really do anything about this since incremental ruleset updates are a two-step process. For dumps we've added retries a while ago, for updates this seems a bit dangerous. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
