Menu

#5475 webmin-iptables.service or webmin-ip6tables.service fail at boot.

1.973
closed-fixed
nobody
None
5
2021-11-12
2021-04-08
ShiftyByte
No

When booting the system, both webmin-iptables.service and webmin-ip6tables.service are trying to load boot iptables and one of them fails because the other holds the lock:

The fail message is (seen in systemctl status):

Apr 08 13:03:52 wm systemd[1]: Starting Load ip6tables save file...
Apr 08 13:03:52 wm sh[583]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Apr 08 13:03:52 wm systemd[1]: webmin-ip6tables.service: Main process exited, code=exited, status=4/NOPERMISSION
Apr 08 13:03:52 wm systemd[1]: webmin-ip6tables.service: Failed with result 'exit-code'.
Apr 08 13:03:52 wm systemd[1]: Failed to start Load ip6tables save file.

Webmin Version: 1.973
OS: Ubuntu 20.04.2 LTS
iptables v1.8.4 (legacy)

I solved this by adding the following to webmin-ip6tables.service in [Unit] group

After=webmin-iptables.service

This ensures both can load without colliding and failing on the lock.

Discussion

  • Ilia

    Ilia - 2021-04-08
     

    • ShiftyByte

      ShiftyByte - 2021-04-08

      I'm not sure how this is connected.

      I am talking about systemd service called webmin-iptables.service

      I could not locate it on the github, maybe i'm misunderstanding who is responsible for this file.

       

  • Ilia

    Ilia - 2021-04-08

    Sorry, you're right. It's not connected. I misread your issue.

     

  • Jamie Cameron

    Jamie Cameron - 2021-04-10

    Are you sure that locking is the issue? Looks like it actually failed with the error :

    webmin-ip6tables.service: Main process exited, code=exited, status=4/NOPERMISSION

     

    • ShiftyByte

      ShiftyByte - 2021-04-11

      Yes, I a pretty sure because of this message in the log:

      Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

      And this article:

      https://utcc.utoronto.ca/~cks/space/blog/linux/IptablesWOptionFumbles

      And the fact that starting the failed service post boot works. (So it's not a permanent failure, it just fails when its run automatically at boot)

      systemctl start webmin-ip6tables.service
       

  • Jamie Cameron

    Jamie Cameron - 2021-04-13

    Ok I did some research, and found that this "xtables lock" error comes from the iptables-restore command if two instances get run at once. The fix is to add the -w flag to the command, so that it waits for the lock to become available.

     

  • Jamie Cameron

    Jamie Cameron - 2021-04-13
    • status: open --> closed-fixed
     

  • Jamie Cameron

    Jamie Cameron - 2021-04-13

    Ok, the next release of Webmin will set this flag.

    As a work-around, you can edit those bootup actions and add the -w flag to the iptables-restore command.

     

  • absentrecall

    absentrecall - 2021-11-12

    I just ran into this exact problem with a new Ubuntu 20.04 install and Webmin 1.981. I looked at the systemctl unit files for webmin-iptables.service and webmin-ip6tables.service and the ExecStart cmds do not have the -w flag:

    ExecStart=/bin/sh -c '/sbin/iptables-restore </etc/webmin/firewall/iptables.save'

ExecStart=/bin/sh -c '/sbin/ip6tables-restore </etc/webmin/firewall6/ip6tables.save'

    Adding "-w 30" flag in both unit files allowed both iptables and ip6tables rules to restored at startup.

    Since I'm running Webmin 1.981, please check if the fix was lost at some point.

     

Log in to post a comment.

MongoDB Logo MongoDB