Last Modified: Apr 11, 2024
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Fixed In:
15.1.0
Opened: Feb 27, 2020 Severity: 4-Minor
When running iptables-restore, you get this error: Another app is currently holding the xtables lock. Perhaps you want to use the -w option? This occurs because firewall rules are not created in iptables and therefore not enforced until after rebooting the device.
Firewall rules for the management interface are not reliably created or enforced.
Creating firewall rules for the management interface.
There are four possible workarounds: ======= -- [root:Active:Disconnected] config # lsof -n 2>/dev/null | grep /run/xtables.lock iptables 14009 root 3rW REG 0,20 0 26415 /run/xtables.lock root 13945 0.5 0.3 163992 29216 ? S 19:58 0:00 | \_ /usr/bin/mgmt_acld -do -m root 14009 0.0 0.0 24900 1360 ? S 19:58 0:00 | \_ /sbin/iptables -xvL f5acl ^^^ xtables.lock held by iptables which is being run by mgmt_acld [root:Active:Disconnected] config # bigstart stop mgmt_acld [root:Active:Disconnected] config # killall iptables ^^^ stop mgmt_acld, and kill iptables [root:Active:Disconnected] config # lsof -n 2>/dev/null | grep /run/xtables.lock [root@blpv0678:Active:Disconnected] config # ^^^ verify the lock is gone perform the merge and the rules are loaded. Make sure to restart mgmt_acld afterwards. ======= -- Reboot after every management firewall rule that is created. ======= -- Manually clear the iptables lock then make your changes 1) Run: rm -f /run/xtables.lock 2) Then make your changes ======= -- If the changes have already been made, Manually clear the iptables lock, then run load sys config. 1) Run: rm -f /run/xtables.lock 2) Then Run: tmsh load sys config
None