itpables 1.4.20 introduced internal lock <https://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8> which causes failures when stopping iptables and ip6tables in parallel (rc_parallel="YES") at system shutdown: iptables |Another app is currently holding the xtables lock. Perhaps you want to use the -w option? [...] ip6tables |Another app is currently holding the xtables lock. Perhaps you want to use the -w option? iptables(8) manual reads: -w, --wait Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This option will make the program wait until the exclusive lock can be obtained. To prevent from such error messages and failing /etc/init.d/ip{,6}tables stop actions, I recommend to add `-w' option into the init scripts where ${iptables_bin} is called.
Created attachment 370892 [details, diff] Patch for /etc/init.d/iptables This patch implements the change in the init script.
should be fixed in 1.4.21-r2 http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27a2f5aa3b111e62f52fcd3f66f763293f24871b
Re-opening this because the issue is still present, apparently because iptables-restore also needs that -w option: ip6tables |+ '[' '!' -f /var/lib/ip6tables/rules-save ']' ip6tables |+ return 0 ip6tables |+ ebegin 'Loading ip6tables state and starting firewall' iptables | * Loading iptables state and starting firewall ... ip6tables | * Loading ip6tables state and starting firewall ... ip6tables |+ /sbin/ip6tables-restore -c ip6tables |Another app is currently holding the xtables lock. Perhaps you want to use the -w option? ip6tables |+ eend 4 [ !! ] ip6tables |+ exit 4
FYI: You could have used SAVE_RESTORE_OPTIONS already. But incoming patch.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cdc003118830087bbb409761fe4e0e2c19ea103a commit cdc003118830087bbb409761fe4e0e2c19ea103a Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-11-20 15:36:22 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-11-20 15:36:38 +0000 net-firewall/iptables: multiple fixes for runscript - We are now passing iptables "--wait" option to every iptables command which needs to aquire a lock. [Bug 501710] - In addition, "--wait" (IPTABLES_LOCK_WAIT_TIME) and "--wait-interval" (IPTABLES_LOCK_WAIT_INTERVAL) is now configurable via /etc/conf.d/{iptables,ip6tables}. - We are now only installing one runscript and now using a symlink for the ip6tables runscript. - Error detection improved/added. Closes: https://bugs.gentoo.org/501710 Package-Manager: Portage-2.3.52, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-firewall/iptables/files/ip6tables-r1.confd | 27 +++++ net-firewall/iptables/files/iptables-r1.confd | 27 +++++ net-firewall/iptables/files/iptables-r1.init | 159 +++++++++++++++++++++++++ net-firewall/iptables/iptables-1.8.2-r1.ebuild | 129 ++++++++++++++++++++ 4 files changed, 342 insertions(+)
