I have a system with iptables/ip6tables configured as services. There seems to be a race to get the xtables lock file with this version. I have either iptables or ip6tables failing on boot. I can start either the service later on. A typical message:
ip6tables.init[714]: ip6tables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
ip6tables.init[627]: ip6tables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
ip6tables.init[627]: [FAILED]
This update has been submitted for testing by mooninite.
This update has been pushed to testing.
iptables command and service scripts work
I have a system with iptables/ip6tables configured as services. There seems to be a race to get the xtables lock file with this version. I have either iptables or ip6tables failing on boot. I can start either the service later on. A typical message:
ip6tables.init[714]: ip6tables: Applying firewall rules: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
Just as an FYI, downgrading to 1.6.1-4 makes both services work on boot again.
And adding semodule for iptables results in:
works for me but no ipv6 here
works for me
I'm going to unpush. The issue with ip6tables will be addressed before this is pushed.
This update has been unpushed.
mooninite edited this update.
New build(s):
Removed build(s):
Karma has been reset.
This update has been submitted for testing by mooninite.
The startup race with iptables/ip6tables has been fixed. Please re-test this latest update.
This update has been pushed to testing.
Works fine in build 1.6.2-2
...except for SELinux keeps preventing
iptables
from startIt works here (-2), but I do have these extra SELinux policy rules in a local module:
allow iptables_t plymouthd_t:unix_stream_socket connectto; allow iptables_t var_run_t:file { read lock open };
So, that should also be fixed, I guess. The above is based on denials I've seen in my audit.log over some time.
no regressions noted
selinux-policy-3.13.1-283.27.fc27.noarch kernel-4.15.9-300.fc27.x86_64 iptables-1.6.2-2.fc27.x86_64
my workoraund: cat /etc/systemd/system/iptables.service.d/override.conf [Service] ExecStartPre=-/usr/libexec/iptables/iptables.init start ExecStartPre=-/usr/sbin/restorecon /run/xtables.lock
systemctl status iptables Process: 1741 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS) Process: 1740 ExecStartPre=/usr/sbin/restorecon -F /run/xtables.lock (code=exited, status=0/SUCCESS) (!!!) Process: 1714 ExecStartPre=/usr/libexec/iptables/iptables.init start (code=exited, status=1/FAILURE)
This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.
installs fine
Works fine for me!
Works for me
worked
We need more noise on bug 1551463 in order to send this to stable. I'm unpushing this for now.
This update has been unpushed.
Can we split out the nftables/libnfntl updates on their own? There's a request to update them in https://bugzilla.redhat.com/show_bug.cgi?id=1565632
mooninite edited this update.
Removed build(s):
Karma has been reset.
This update has been submitted for testing by mooninite.
This update has been pushed to testing.
FYI: the latest selinux-policy should have fixed this. I'm pushing this out again.
This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
This update has been obsoleted by iptables-1.6.2-3.fc27.