Bug 1477413 – Firewall fails to apply when using iptables-services

Bug 1477413 - Firewall fails to apply when using iptables-services

Summary:	Firewall fails to apply when using iptables-services

Status:	MODIFIED

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	iptables (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	Unspecified Unspecified

Priority	urgent Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Eric Garver
QA Contact:	qe-baseos-daemons
Docs Contact:

URL:
Whiteboard:
Keywords:	Regression, Security, ZStream

Duplicates:	1477638 (view as bug list)
Depends On:
Blocks:	1420851 1481207
	Show dependency tree / graph

Reported:	2017-08-01 23:27 EDT by Steven Haigh
Modified:	2017-08-15 10:18 EDT (History)
CC List:	24 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Clones:	1481207 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Service wait patch (512 bytes, patch) 2017-08-09 07:29 EDT, Thomas Woerner	no flags	Details \| Diff
Service wait patch (1.83 KB, patch) 2017-08-09 09:46 EDT, Thomas Woerner	no flags	Details \| Diff
Proposed patch (1.89 KB, patch) 2017-08-09 09:53 EDT, Thomas Woerner	no flags	Details \| Diff
Final patch (1.93 KB, patch) 2017-08-09 10:55 EDT, Thomas Woerner	no flags	Details \| Diff
Show Obsolete (3) Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1438597	None	None	None	2017-08-02 09:00 EDT
Red Hat Knowledge Base (Solution)	3138851	None	None	None	2017-08-03 11:17 EDT

Groups: None (edit)

Description Steven Haigh 2017-08-01 23:27:35 EDT

Description of problem:
I use a very basic firewall applied via the systemd services iptables & ip6tables.

The latest version randomly fails on start with an x-locking issue and suggest the -w option in the failure message.

I fixed this by adding the '-w 1' option to all calls to iptables-restore and ip6tables-restore in /usr/libexec/iptables/*

This seems to reliably fix the problem.

Note: For some reason, just specifying -w complains about a non-numeric option. Maybe something is interacting?

Version-Release number of selected component (if applicable):
iptables-services-1.4.21-18.el7.x86_64

Comment 2 Steven Haigh 2017-08-02 09:00:25 EDT

Added possibly related backport issue.

Comment 3 Jarno Huuskonen 2017-08-02 09:16:33 EDT

I have the same problem: after iptables-services-1.4.21-18.el7.x86_64 / iptables-1.4.21-18.el7.x86_64 update:
On server boot either iptables.service or ip6tables.service fails to start with:
iptables.init: iptables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

and add --wait <num> to /usr/libexec/iptables/* seems to fix this.

Comment 4 Phil Perry 2017-08-05 10:58:16 EDT

I can confirm this only affects systems where firewalld is disabled and BOTH iptables AND ip6tables are enabled. If, for example, only iptables (IPv4) service is enabled, the service starts fine upon reboot.

Comment 6 Thomas Woerner 2017-08-09 07:29 EDT

Created attachment 1311172 [details]
Service wait patch

Proposed fix to fix the service wait issue with the restore wait patches applied.

Comment 7 Thomas Woerner 2017-08-09 08:26:35 EDT

*** Bug 1477638 has been marked as a duplicate of this bug. ***

Comment 9 Steven Haigh 2017-08-09 08:58:05 EDT

With the update to iptables, I wonder if it makes sense to include -W 100 as well.

The man page shows:
       -W, --wait-interval microseconds
              Interval  to  wait  per  each iteration.  When running latency sensitive applications, waiting for the xtables lock for extended durations may not be acceptable. This option will make each iteration take the amount of
              time specified. The default interval is 1 second. This option only works with -w.

The default wait period will be 1 second otherwise.

Comment 10 Jarno Huuskonen 2017-08-09 09:04:23 EDT

(In reply to Thomas Woerner from comment #6)
> Created attachment 1311172 [details]
> Service wait patch
> 
> Proposed fix to fix the service wait issue with the restore wait patches
> applied.

Doesn't ip6tables.init need same --wait patch ?

Comment 11 Thomas Woerner 2017-08-09 09:15:30 EDT

(In reply to Jarno Huuskonen from comment #10)
> (In reply to Thomas Woerner from comment #6)
> > Created attachment 1311172 [details]
> > Service wait patch
> > 
> > Proposed fix to fix the service wait issue with the restore wait patches
> > applied.
> 
> Doesn't ip6tables.init need same --wait patch ?

This is a build environment patch. ip6tables.init script is generated out of the iptables.init script.

Comment 12 Thomas Woerner 2017-08-09 09:46 EDT

Created attachment 1311235 [details]
Service wait patch

Enhanced patch version using iptables-config settings

Comment 13 Thomas Woerner 2017-08-09 09:53 EDT

Created attachment 1311237 [details]
Proposed patch

Enhanced documentation for IPTABLES_RESTORE_WAIT_INTERVAL

Comment 14 Steven Haigh 2017-08-09 09:58:37 EDT

Thumbs up from me on patch v3.

Having the ability to tweak down the retry is fantastic - otherwise large firewall rulesets may take quite some time to apply.

Comment 16 Thomas Woerner 2017-08-09 10:55 EDT

Created attachment 1311251 [details]
Final patch

Using microseconds properly for the --wait-interval option.

Note You need to log in before you can comment on or make changes to this bug.

ajb
ajohn
ajz
amg1127
anderson.gomes
Colin.Simpson
cww
egarver
fabiano.martins
ian
iptables-maint-list
jarno.huuskonen
netwiz
pasik
pbrobinson
perobins
phil
redhat-bugzilla
rhbugs
richard.cunningham
robert.scheck
tis
todoleza
toracat