On Fri, Mar 17, 2017 at 10:20 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > My concern with this is that one iptables-restore instance may > postpone any other iptables call indefinitely, by simply typing > "*filter" with no COMMIT ever. True. But unless the command is run with just plain "-w" (i.e., wait forever with no timeout) then the user will get an error message that the lock is held and can take action. Also: are you thinking about a misconfiguration or an error in a script, or malicious behaviour? A malicious actor can already block any iptables commands in the same way by running "flock -e /run/iptables.lock cat". -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html