hi:
I want to make my firewall script better, so it won't be bothered
if there are other iptables command running in the same time.(like
administrator invoke iptables command from shell.)
I don't want to change the linux system default file, so I don't
want to make a wrapper for iptables command. I want my script to
detect the conflict, so I try to write two testing script like below:
a.sh:
#!/bin/bash
while /bin/true ;do
while /bin/true; do
iptables -A INPUT -s 10.1.1.1 -j ACCEPT && break
done
while /bin/true;do
iptables -D INPUT -s 10.1.1.1 -j ACCEPT && break
done
done
b.sh:
#!/bin/bash
while /bin/true ;do
while /bin/true; do
iptables -A INPUT -s 10.2.2.2 -j ACCEPT && break
done
while /bin/true;do
iptables -D INPUT -s 10.2.2.2 -j ACCEPT && break
done
done
then I run two scripts simultaneously:
./a.sh &
./b.sh
I saw lot of error messages. but I am surprised there are three kind
of error messages.
1. iptables: Resource temporarily unavailable.
=> this is expected. and error code is 4. I can detect it.
2. iptables: Invalid argument. Run `dmesg' for more information.
=> I don't know why this error comes out.
3. iptables: Bad rule (does a matching rule exist in that chain?).
=> this is even more strange. this means the "iptables -D" has no
entry to delete. so it means the last "iptables -A" report success but
it is actually failed to insert the rule.
it seems run two iptables command simultaneously is dangerous and
would cause a mess. I wonder why the iptables command can not
detect/prevent the conflict itself?
so I think for system reliability the only way is to write a locking
wrapper for iptables command(like flock /sbin/iptables -c
/sbin/iptables)
thanks a lot for suggestion!
Regards,
tbskyd
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
