Red Hat Bugzilla – Bug 1477413
Firewall fails to apply when using iptables-services
Last modified: 2017-08-15 10:18:55 EDT
Description of problem:
I use a very basic firewall applied via the systemd services iptables & ip6tables.
The latest version randomly fails on start with an x-locking issue and suggest the -w option in the failure message.
I fixed this by adding the '-w 1' option to all calls to iptables-restore and ip6tables-restore in /usr/libexec/iptables/*
This seems to reliably fix the problem.
Note: For some reason, just specifying -w complains about a non-numeric option. Maybe something is interacting?
Version-Release number of selected component (if applicable):
Added possibly related backport issue.
I have the same problem: after iptables-services-1.4.21-18.el7.x86_64 / iptables-1.4.21-18.el7.x86_64 update:
On server boot either iptables.service or ip6tables.service fails to start with:
iptables.init: iptables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
and add --wait <num> to /usr/libexec/iptables/* seems to fix this.
I can confirm this only affects systems where firewalld is disabled and BOTH iptables AND ip6tables are enabled. If, for example, only iptables (IPv4) service is enabled, the service starts fine upon reboot.
Created attachment 1311172 [details]
Service wait patch
Proposed fix to fix the service wait issue with the restore wait patches applied.
*** Bug 1477638 has been marked as a duplicate of this bug. ***
With the update to iptables, I wonder if it makes sense to include -W 100 as well.
The man page shows:
-W, --wait-interval microseconds
Interval to wait per each iteration. When running latency sensitive applications, waiting for the xtables lock for extended durations may not be acceptable. This option will make each iteration take the amount of
time specified. The default interval is 1 second. This option only works with -w.
The default wait period will be 1 second otherwise.
(In reply to Thomas Woerner from comment #6)
> Created attachment 1311172 [details]
> Service wait patch
> Proposed fix to fix the service wait issue with the restore wait patches
Doesn't ip6tables.init need same --wait patch ?
(In reply to Jarno Huuskonen from comment #10)
> (In reply to Thomas Woerner from comment #6)
> > Created attachment 1311172 [details]
> > Service wait patch
> > Proposed fix to fix the service wait issue with the restore wait patches
> > applied.
> Doesn't ip6tables.init need same --wait patch ?
This is a build environment patch. ip6tables.init script is generated out of the iptables.init script.
Created attachment 1311235 [details]
Service wait patch
Enhanced patch version using iptables-config settings
Created attachment 1311237 [details]
Enhanced documentation for IPTABLES_RESTORE_WAIT_INTERVAL
Thumbs up from me on patch v3.
Having the ability to tweak down the retry is fantastic - otherwise large firewall rulesets may take quite some time to apply.
Created attachment 1311251 [details]
Using microseconds properly for the --wait-interval option.