ufw

Another app is currently holding the xtables lock

Bug #1911637 reported by FloSoft
56
This bug affects 10 people
Affects Status Importance Assigned to Milestone
ufw
Triaged
Undecided
Unassigned
ufw (Debian)
New
Undecided
Unassigned
ufw (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Version: ufw 0.36 (via Debian buster 0.36-1 deb-package)

I'm using ufw together with fail2ban, and often I get an error while fail2ban is trying to ban an ip:

```
ERROR: initcaps
[Errno 2] Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

```

it seems that in utils.py, get_netfilter_capabilities(...) iptables is called without "-w" flag to wait for the table lock

perhaps the checks should include this parameter to avoid leaving temporary tables behind (and breaking fail2ban, but thats a different story ...)?

Revision history for this message
Oliver Vollmer (vollmero-work) wrote :

This has been reported on the ansible module side as well as it impacts the ability to configure ufw on Ubuntu 20.04.02 LTS servers. ufw is essentially unusable because of this bug.

https://github.com/ansible-collections/community.general/issues/2336
https://github.com/ansible-collections/community.general/issues/2452

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ufw (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the report. I read the ansible bug but this issue is actually coming from the underlying iptables tool. Something on the system is manipulating the firewall via iptables at the same time that the ufw command is being run. As described, this would happen with any firewall software. If only ufw is being used with ansible, perhaps ensure that the ufw commands are not being run in parallel. The upstream bug referenced docker, which will also manipulate the firewall with iptables; perhaps ensure that ufw configuration is applied before docker is started.

I'm going to mark this bug as Invalid for now. Feel free to provide more information if you feel this is specific to ufw.

Changed in ufw (Ubuntu):
status: Confirmed → Invalid
Changed in ufw:
status: New → Invalid
Changed in ufw (Ubuntu):
status: Invalid → New
Changed in ufw:
status: Invalid → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, in thinking about this, ufw could use 'iptables -w' under the hood. I recall having troubles with this approach when providing the fix for https://bugs.launchpad.net/ufw/+bug/1204579. I suggest following my advice in my last comment to avoid the issue while using 'iptables -w' is explored.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ufw (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in ufw:
status: New → Triaged
Revision history for this message
Rowan Wookey (rwky) wrote :

Patch from https://bugs.launchpad.net/ufw/+bug/1923079 which is a dup

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "status-wait-flag.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.