Another app is currently holding the xtables lock.
Brought to you by:
mikehorn
Hi,
It seems due to this change in iptables code reset_iptables_v4()
function in generated .fw
scripts fails with error:
Activating firewall script generated Mon Nov 21 10:08:52 2016 by chris Running prolog script Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
speficically this loop:
$IPTABLES -t $table -L -n | while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done
creates race condition. The solution I found is to replace it with:
chains_to_reset=`$IPTABLES -t $table -L -n` echo "$chains_to_reset" | while IFS= read -r line; do c=`echo $line | cut -d' ' -f1` chain=`echo $line | cut -d' ' -f2` if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done
Regards,
Chris
I've just had the same issue, and this fixed it. Thanks Chris
How can we get this put into the current release. In the mean time can I edit any files in the the curent release. I take it there are templates ?
Last edit: Andrew W 2018-02-05
What's wrong with using "-w" for iptables as suggested?
This is because the the "-w" will only cause the task to give up after a defined number of seconds and risk security as the firewall may not have its complete rule set or it will still fail (but maybe less oftem) "-w [seconds] maximum wait to acquire xtables lock before give up" The newer version of IPtables nolonger sugests this as a work around. Also i would rather fix an issue than use a sticking plaster.
I've found the code to replace in the file in reset_iptables.txt