Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 501710

Summary: net-firewall/iptables-1.4.20 - /etc/init.d/iptables: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Product: Gentoo Linux Reporter: Petr Pisar <petr.pisar>
Component: [OLD] Core systemAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal CC: sbraz
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Patch for /etc/init.d/iptables

Description Petr Pisar 2014-02-18 19:20:25 UTC 
itpables 1.4.20 introduced internal lock <https://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8> which causes failures when stopping iptables and ip6tables in parallel (rc_parallel="YES") at system shutdown:

iptables         |Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
[...]
ip6tables        |Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

iptables(8) manual reads:

       -w, --wait
              Wait for the xtables lock.  To prevent multiple instances of the
              program from running concurrently, an attempt will be made to
              obtain an exclusive lock at launch.  By default, the program
              will exit if the lock cannot be obtained.  This option will make
              the program wait until the exclusive lock can be obtained.

To prevent from such error messages and failing /etc/init.d/ip{,6}tables stop actions, I recommend to add `-w' option into the init scripts where ${iptables_bin} is called.
Comment 1 Petr Pisar 2014-02-20 17:28:37 UTC 
Created attachment 370892 [details, diff]
Patch for /etc/init.d/iptables

This patch implements the change in the init script.
Comment 3 Louis Sautier (sbraz) gentoo-dev 2018-11-03 14:50:27 UTC 
Re-opening this because the issue is still present, apparently because iptables-restore also needs that -w option:
ip6tables          |+ '[' '!' -f /var/lib/ip6tables/rules-save ']'
ip6tables          |+ return 0
ip6tables          |+ ebegin 'Loading ip6tables state and starting firewall'
iptables           | * Loading iptables state and starting firewall ...
ip6tables          | * Loading ip6tables state and starting firewall ...
ip6tables          |+ /sbin/ip6tables-restore -c
ip6tables          |Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
ip6tables          |+ eend 4                                                                                                                                                                                                                                                          [ !! ]
ip6tables          |+ exit 4
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-20 15:31:05 UTC 
FYI: You could have used SAVE_RESTORE_OPTIONS already. But incoming patch.
Comment 5 Larry the Git Cow gentoo-dev 2018-11-20 15:36:46 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cdc003118830087bbb409761fe4e0e2c19ea103a

commit cdc003118830087bbb409761fe4e0e2c19ea103a
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-11-20 15:36:22 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-11-20 15:36:38 +0000

    net-firewall/iptables: multiple fixes for runscript
    
    - We are now passing iptables "--wait" option to every iptables
      command which needs to aquire a lock. [Bug 501710]
    
    - In addition, "--wait" (IPTABLES_LOCK_WAIT_TIME) and "--wait-interval"
      (IPTABLES_LOCK_WAIT_INTERVAL) is now configurable via
      /etc/conf.d/{iptables,ip6tables}.
    
    - We are now only installing one runscript and now using a symlink
      for the ip6tables runscript.
    
    - Error detection improved/added.
    
    Closes: https://bugs.gentoo.org/501710
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-firewall/iptables/files/ip6tables-r1.confd |  27 +++++
 net-firewall/iptables/files/iptables-r1.confd  |  27 +++++
 net-firewall/iptables/files/iptables-r1.init   | 159 +++++++++++++++++++++++++
 net-firewall/iptables/iptables-1.8.2-r1.ebuild | 129 ++++++++++++++++++++
 4 files changed, 342 insertions(+)