Centos7下iptables重启时提示xtables占用导致无法正常启动

概述

在项目中执行初始化脚本时遇到重启iptables服务时卡住，且长时间无响应。以下为状态信息：

[root@localhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: activating (start) since 五 2022-03-25 17:24:19 CST; 1min 11s ago
 Main PID: 142965 (iptables.init)
    Tasks: 2
   CGroup: /system.slice/iptables.service
           ├─142965 /bin/bash /usr/libexec/iptables/iptables.init start
           └─142972 iptables-restore --wait 600 /etc/sysconfig/iptables
 
3月 25 17:24:19 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
3月 25 17:24:28 localhost.localdomain iptables.init[142965]: iptables: Applying firewall rules: Another app is currently holding the xtables lock; still 591s 0us time ahead to have a chance to grab the lock...
3月 25 17:24:38 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 581s 0us time ahead to have a chance to grab the lock...
3月 25 17:24:48 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 571s 0us time ahead to have a chance to grab the lock...
3月 25 17:24:58 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 561s 0us time ahead to have a chance to grab the lock...
3月 25 17:25:08 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 551s 0us time ahead to have a chance to grab the lock...
3月 25 17:25:18 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 541s 0us time ahead to have a chance to grab the lock...
3月 25 17:25:28 localhost.localdomain iptables.init[142965]: Another app is currently holding the xtables lock; still 531s 0us time ahead to have a chance to grab the lock...
[root@localhost ~]# systemctl status ip6tables
● ip6tables.service - IPv6 firewall with ip6tables
   Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled)
   Active: activating (start) since 五 2022-03-25 14:50:24 CST; 2h 38min ago
 Main PID: 139499 (ip6tables.init)
    Tasks: 2
   CGroup: /system.slice/ip6tables.service
           ├─139499 /bin/bash /usr/libexec/iptables/ip6tables.init start
           └─139510 ip6tables-restore --wait 600 /etc/sysconfig/ip6tables
 
3月 25 14:50:24 localhost.localdomain systemd[1]: Starting IPv6 firewall with ip6tables...
3月 25 14:50:25 localhost.localdomain ip6tables.init[139499]: ip6tables: Applying firewall rules: Warning: never matched protocol: 51. use extension match instead.

问题引起疑似因firewalld服务移除nf_conntrack模块夯住导致。
模块/proc/net/nf_conntrack不存在，重启系统后恢复。

解决办法

[root@localhost ~]# lsof -n 2>/dev/null | grep /run/xtables.lock
ip6tables 139510                  root    4rW     REG               0,20         0      99282 /run/xtables.lock
iptables- 142972                  root    4r      REG               0,20         0      99282 /run/xtables.lock
[root@localhost ~]# ps aux|grep iptables
root     139499  0.0  0.0 115592  1996 ?        Ss   14:50   0:00 /bin/bash /usr/libexec/iptables/ip6tables.init start
root     142965  0.0  0.0 115592  1944 ?        Ss   17:24   0:00 /bin/bash /usr/libexec/iptables/iptables.init start
root     142972  0.0  0.0  16264   768 ?        S    17:24   0:00 iptables-restore --wait 600 /etc/sysconfig/iptables
root     143074  0.0  0.0 112728   976 pts/3    S+   17:27   0:00 grep --color=auto iptables
[root@localhost ~]# lsof -n 2>/dev/null | grep /run/xtables.lock
ip6tables 139510                  root    4rW     REG               0,20         0      99282 /run/xtables.lock
iptables- 142972                  root    4r      REG               0,20         0      99282 /run/xtables.lock
[root@localhost ~]# kill 142972
[root@localhost ~]# kill 139510

验证

[root@localhost ~]# lsof -n 2>/dev/null | grep /run/xtables.lock
[root@localhost ~]# systemctl start ip6tables
[root@localhost ~]# systemctl status ip6tables
● ip6tables.service - IPv6 firewall with ip6tables
   Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled)
   Active: active (exited) since 五 2022-03-25 17:29:23 CST; 3s ago
  Process: 143114 ExecStart=/usr/libexec/iptables/ip6tables.init start (code=exited, status=0/SUCCESS)
 Main PID: 143114 (code=exited, status=0/SUCCESS)
 
3月 25 17:29:23 localhost.localdomain systemd[1]: Starting IPv6 firewall with ip6tables...
3月 25 17:29:23 localhost.localdomain ip6tables.init[143114]: ip6tables: Applying firewall rules: Warning: never matched protocol: 51. use extension match instead.
3月 25 17:29:23 localhost.localdomain ip6tables.init[143114]: [  确定  ]
3月 25 17:29:23 localhost.localdomain systemd[1]: Started IPv6 firewall with ip6tables.
[root@localhost ~]# systemctl start iptables
[root@localhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since 五 2022-03-25 17:29:35 CST; 13s ago
  Process: 143244 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 143244 (code=exited, status=0/SUCCESS)
 
3月 25 17:29:35 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
3月 25 17:29:35 localhost.localdomain iptables.init[143244]: iptables: Applying firewall rules: [  确定  ]
3月 25 17:29:35 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.

参考内容

参考自:https://cdn.f5.com/product/bugtracker/ID885373.html

There are four possible workarounds:

=======

-- [root:Active:Disconnected] config # lsof -n 2>/dev/null | grep /run/xtables.lock
iptables  14009            root    3rW     REG               0,20          0      26415 /run/xtables.lock

root     13945  0.5  0.3 163992 29216 ?        S    19:58   0:00  |   \_ /usr/bin/mgmt_acld -do -m
root     14009  0.0  0.0  24900  1360 ?        S    19:58   0:00  |       \_ /sbin/iptables -xvL f5acl

^^^ xtables.lock held by iptables which is being run by mgmt_acld

[root:Active:Disconnected] config # bigstart stop mgmt_acld
[root:Active:Disconnected] config # killall iptables

^^^ stop mgmt_acld, and kill iptables

[root:Active:Disconnected] config # lsof -n 2>/dev/null | grep /run/xtables.lock
[root@blpv0678:Active:Disconnected] config #

^^^ verify the lock is gone

perform the merge and the rules are loaded. Make sure to restart mgmt_acld afterwards.

=======

-- Reboot after every management firewall rule that is created.

=======

-- Manually clear the iptables lock then make your changes 
1) Run: rm -rf /run/xtables.lock
2) Then make your changes

=======

-- If the changes have already been made, Manually clear the iptables lock, then run load sys config.
1) Run: rm -rf /run/xtables.lock
2) Then Run: tmsh load sys config

END

Centos7下iptables重启时提示xtables占用导致无法正常启动