#277 Another app is currently holding the xtables lock.

[Chris Maciejewski]

Hi,

It seems due to this change in iptables code reset_iptables_v4() function in generated .fw scripts fails with error:

Activating firewall script generated Mon Nov 21 10:08:52 2016 by chris
Running prolog script
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

speficically this loop:

  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done

creates race condition. The solution I found is to replace it with:

    chains_to_reset=`$IPTABLES -t $table -L -n`
    echo "$chains_to_reset" |  while IFS= read -r line; do
      c=`echo $line | cut -d' ' -f1`
      chain=`echo $line | cut -d' ' -f2`
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
    done

Regards,
Chris

[Andrew W]

I've just had the same issue, and this fixed it. Thanks Chris

How can we get this put into the current release. In the mean time can I edit any files in the the curent release. I take it there are templates ?

[Rado Q]

What's wrong with using "-w" for iptables as suggested?

[Andrew W]

This is because the the "-w" will only cause the task to give up after a defined number of seconds and risk security as the firewall may not have its complete rule set or it will still fail (but maybe less oftem) "-w [seconds] maximum wait to acquire xtables lock before give up" The newer version of IPtables nolonger sugests this as a work around. Also i would rather fix an issue than use a sticking plaster.

I've found the code to replace in the file in reset_iptables.txt