646762 – net-firewall/iptables-1.6.2: only one rules set is restored due to xtables lock if both iptables-restore.service and ip6tables-restore.service are enabled

Bug 646762 - net-firewall/iptables-1.6.2: only one rules set is restored due to xtables lock if both iptables-restore.service and ip6tables-restore.service are enabled

Summary: net-firewall/iptables-1.6.2: only one rules set is restored due to xtables lo...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-02-06 13:33 UTC by Dragan Kašler
Modified:	2018-02-22 17:22 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge -p iptables (emerge.p.iptables,466 bytes, text/plain) 2018-02-06 13:34 UTC, Dragan Kašler	Details
emerge --info (emerge.info,13.75 KB, text/plain) 2018-02-06 13:35 UTC, Dragan Kašler	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dragan Kašler 2018-02-06 13:33:12 UTC

Since last package update, iptables (under SystemD, at least) doesn't restore both rules-save files if iptables-restore.service and ip6tables-restore.service are enabled at same time, where one of them will fail with following message:

● iptables-restore.service - Restore iptables firewall rules
   Loaded: loaded (/lib/systemd/system/iptables-restore.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2018-02-06 14:07:56 CET; 7min ago
  Process: 202 ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save (code=exited, status=4)
 Main PID: 202 (code=exited, status=4)

Feb 06 14:07:56 pb4330s systemd[1]: Starting Restore iptables firewall rules...
Feb 06 14:07:56 pb4330s iptables-restore[202]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Feb 06 14:07:56 pb4330s systemd[1]: iptables-restore.service: Main process exited, code=exited, status=4/NOPERMISSION
Feb 06 14:07:56 pb4330s systemd[1]: iptables-restore.service: Failed with result 'exit-code'.
Feb 06 14:07:56 pb4330s systemd[1]: Failed to start Restore iptables firewall rules.

With few reboots, this could cause loss of all iptables and ip6tables rules, everything would be set to ACCEPT.

Issue is easily fixed by adding mentioned "-w" option (I set it to 60, but smaller value could be fine too, I suppose):

pb4330s ~ # diff /lib/systemd/system/iptables-restore.service /usr/portage/net-firewall/iptables/files/systemd/iptables-restore.service
11c11
< ExecStart=/sbin/iptables-restore -w 60 /var/lib/iptables/rules-save
---
> ExecStart=/sbin/iptables-restore /var/lib/iptables/rules-save
pb4330s ~ # diff /lib/systemd/system/ip6tables-restore.service /usr/portage/net-firewall/iptables/files/systemd/ip6tables-restore.service
11c11
< ExecStart=/sbin/ip6tables-restore -w 60 /var/lib/ip6tables/rules-save
---
> ExecStart=/sbin/ip6tables-restore /var/lib/ip6tables/rules-save
pb4330s ~ # 

Reproducible: Always

Steps to Reproduce:
1. configure and save both iptables and ip6tables rules
2. enable both iptables-[store,restore] and ip6tables-[store,restore] services
3. reboot
Actual Results:  
Either iptables or ip6tables rules are not restored due to xtables lock.

Expected Results:  
Both iptables and ip6tables rules are restored after reboot.

Comment 1 Dragan Kašler 2018-02-06 13:34:50 UTC

Created attachment 518072 [details]
emerge -p iptables

Comment 2 Dragan Kašler 2018-02-06 13:35:18 UTC

Created attachment 518074 [details]
emerge --info

Comment 3 Dragan Kašler 2018-02-22 17:22:20 UTC

Fixed: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1dbbd48205516f3d2e14dad349c06f23b182de40