Bug ID 885373: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

Last Modified: Aug 28, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
15.1.0

Opened: Feb 27, 2020

Severity: 4-Minor

Symptoms

When running iptables-restore, you get this error: Another app is currently holding the xtables lock. Perhaps you want to use the -w option? This occurs because firewall rules are not created in iptables and therefore not enforced until after rebooting the device.

Impact

Firewall rules for the management interface are not reliably created or enforced.

Conditions

Creating firewall rules for the management interface.

Workaround

There are four possible workarounds: ======= -- [root:Active:Disconnected] config # lsof -n 2>/dev/null | grep /run/xtables.lock iptables 14009 root 3rW REG 0,20 0 26415 /run/xtables.lock root 13945 0.5 0.3 163992 29216 ? S 19:58 0:00 | \_ /usr/bin/mgmt_acld -do -m root 14009 0.0 0.0 24900 1360 ? S 19:58 0:00 | \_ /sbin/iptables -xvL f5acl ^^^ xtables.lock held by iptables which is being run by mgmt_acld [root:Active:Disconnected] config # bigstart stop mgmt_acld [root:Active:Disconnected] config # killall iptables ^^^ stop mgmt_acld, and kill iptables [root:Active:Disconnected] config # lsof -n 2>/dev/null | grep /run/xtables.lock [root@blpv0678:Active:Disconnected] config # ^^^ verify the lock is gone perform the merge and the rules are loaded. Make sure to restart mgmt_acld afterwards. ======= -- Reboot after every management firewall rule that is created. ======= -- Manually clear the iptables lock then make your changes 1) Run: rm -f /run/xtables.lock 2) Then make your changes ======= -- If the changes have already been made, Manually clear the iptables lock, then run load sys config. 1) Run: rm -f /run/xtables.lock 2) Then Run: tmsh load sys config

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips