ufw doesn't support concurrent updates

There was a problem with the patch and this will be in the next release of ufw.

Is there any update on this? I know there is a -w command in iptables with this patch https://patchwork.ozlabs.org/patch/635676/. Is there a way to call through ufw to set this option to increase the waits?

@Christopher - I implemented this a bit differently but had some troubles with the testsuite. I think '-w' would be much simpler. There isn't a way to pass this into ufw, but you could modify backend_iptables.py towards the end of set_rule() to pass the flag.

OK great. I will work on this patch.

Is there a current work around for this, otherwise I have to re-write a bunch of code to go to iptables

@Luke, you could modify backend_iptables.py as mentioned in comment #5 or you could perhaps use 'man 1 flock' or implement a lock wrapper around your invocation of ufw.

That said, since didn't hear back from Christopher, I'll take a look at implementing this for 0.36.

Hi all. I posted a question on this last December, but I never received feedback on it. Here is the bug report https://bugs.launchpad.net/ufw/+bug/1652163.

the flock worked perfectly thank you!

This is in git master now and in the ufw snap in candidate.

This is fixed in the new 0.36 release.

This bug was fixed in the package ufw - 0.36-1

---------------
ufw (0.36-1) unstable; urgency=medium

  * New upstream release (LP: #1782384, LP: #1664133, LP: #1509725,
    LP: #1695718, LP: #1719211, LP: #1775043, LP: #1204579, LP: #1652163,
    LP: #1377600, Closes: 686248, LP: #1368411, LP: #1586258, Closes: 909163,
    Closes: 884932, LP: #1558068)
    - drop 0002-bug849628.patch (included upstream)
    - drop 0003-use-default-tcp-syncookies.patch (included upstream)
    - drop 0004-lp1633698.patch (included upstream)
  * Remaining changes:
    - 0001-optimize-boot.patch
  * debian/ufw.maintscript: remove /etc/bash_completion.d/ufw on upgrade
    (LP: #1602834)
  * debian/control: remove no longer needed xs-python-version and
    x-python3-version fields
  * update debian/before6.rules.md5sum for file shipped in 0.35-6. While both
    before.rules and before6.rules were updated in this new upstream release,
    0.35-6 mistakenly already had its own md5sum for before.rules, so we don't
    need to add it now.

 -- Jamie Strandboge <email address hidden> Fri, 14 Dec 2018 17:50:47 +0000

An upload of ufw to cosmic-proposed has been rejected from the upload queue for the following reason: "All bugs mentioned in the .changes file (so therefore also in the new debian/changelog entries) need to comply with SRU standards (test-case, regression potential). Please re-upload after filling out the required info or modify changelog to exclude irrelevant bug numbers.".

Hello Jeremy, or anyone else affected,

Accepted ufw into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ufw/0.36-0ubuntu0.18.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Jeremy, or anyone else affected,

Accepted ufw into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ufw/0.36-0ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Tested this is fixed in cosmic:

$ apt-cache policy ufw
ufw:
  Installed: 0.36-0ubuntu0.18.10.1
  Candidate: 0.36-0ubuntu0.18.10.1
  Version table:
 *** 0.36-0ubuntu0.18.10.1 500
        500 http://us.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu cosmic-proposed/main i386 Packages
        100 /var/lib/dpkg/status
     0.35-6 500
        500 http://us.archive.ubuntu.com/ubuntu cosmic/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu cosmic/main i386 Packages

Verified this is fixed in bionic:

$ apt-cache policy ufw
ufw:
  Installed: 0.36-0ubuntu0.18.04.1
  Candidate: 0.36-0ubuntu0.18.04.1
  Version table:
 *** 0.36-0ubuntu0.18.04.1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu bionic-proposed/main i386 Packages
        100 /var/lib/dpkg/status
     0.35-5 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu bionic/main i386 Packages

This bug was fixed in the package ufw - 0.36-0ubuntu0.18.10.1

---------------
ufw (0.36-0ubuntu0.18.10.1) cosmic-proposed; urgency=medium

  * Backport to cosmic addressing the following SRU bugs:
    - LP: #1811129 - master SRU bug
    - LP: #1664133 - before6.rules: echo-reply needs to be before INVALID
    - LP: #1719211 - improve interface name checks
    - LP: #1775043 - shell-completion/bash: adjust for modern bash
    - LP: #1204579 - support concurrent updates
    - LP: #1368411 - add 'prepend' command

 -- Jamie Strandboge <email address hidden> Mon, 25 Mar 2019 20:46:10 +0000

The verification of the Stable Release Update for ufw has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package ufw - 0.36-0ubuntu0.18.04.1

---------------
ufw (0.36-0ubuntu0.18.04.1) bionic-proposed; urgency=medium

  * Backport to bionic addressing the following SRU bugs:
    - LP: #1811129 - master SRU bug
    - LP: #1664133 - before6.rules: echo-reply needs to be before INVALID
    - LP: #1719211 - improve interface name checks
    - LP: #1775043 - shell-completion/bash: adjust for modern bash
    - LP: #1204579 - support concurrent updates
    - LP: #1368411 - add 'prepend' command

 -- Jamie Strandboge <email address hidden> Mon, 25 Mar 2019 21:14:25 +0000

ufw does not support rule removal. For a particular project (a task queue on a cloud adhoc HPC cluster), I have had the occasion to test it in a relatively massive parallel rate (20 concurrent uses). I have experienced:
- nice behaviour when adding rules,
- bad behaviour when removing rules.

I was triggering ufw with ansible parallel playbooks execution.

When removing rules the defect rate was high (as soon as more than two playbooks were launched together, some of the rules were not deleted). In that case, ufw fails silently, which is quite bad.

As a counter measure I used task-spooler (apt install task-spooler) I changed my ansible task from:
```yaml
community.general.ufw:
   from_ip: "{{ hostvars[nodename].ipv4 }}"
   rule: allow
   delete: yes
```

to
```yaml
ansible.builtin.script:
   cmd: /usr/bin/tsp /usr/sbin/ufw delete allow from "{{ hostvars[nodename].ipv4 }}"
   become: true
```

This solved the issue.

I have declared also the bug in Ansible collection repo, however this is clearly a UFW bug:
https://github.com/ansible-collections/community.general/issues/4769