Page 1 of 1

Another app is currently holding the xtables lock

PostPosted: Fri Apr 24, 2020 8:24 am
by dspaan
When i use the vicibox 8/9 VB-firewall i keep getting this warning in /var/mail/root:

Another app is currently holding the xtables lock. Perhaps you want to use the -w option?


When i want to reload the OpenSUSE firewall after i have made any change i have to wait ages for it to reload.

I discovered that when i disable the --dynamic and --white parameters for the * * * * * /usr/local/bin/VB-firewall.pl --dynamic --white --flush --quiet cronjob the issue goes away.

So it has to do with the dynamic and white list features. Does anyone have a work-around for this?

Re: Another app is currently holding the xtables lock

PostPosted: Fri Apr 24, 2020 3:59 pm
by Kumba
Not really sure why those would be holding it open. When you run VB-Firewall.pl manually, how long does it take to run?

Re: Another app is currently holding the xtables lock

PostPosted: Fri Apr 24, 2020 4:13 pm
by williamconley
In the olden days we had issues with DNS that dramatically slowed the speed of such activities. Be sure your DNS is fast and working IF you are using any names. If you're not using any names, please feel free to ignore this message.

Re: Another app is currently holding the xtables lock

PostPosted: Fri Apr 24, 2020 4:20 pm
by dspaan
We are using the DNS IP's from our datacenter provider, they are really fast.

When i run the script manually it takes about 9 seconds, i tried it 5 times:

/usr/local/bin/VB-firewall.pl --dynamic --white --flush

ViciBox Firewall white/dynamic/black list integration

Database Host : localhost
Database Name : asterisk
Database User : ****
Database Pass : ****
Database Port : 3306
White list : Enabled
Vici White List : ViciWhite
IPSet White List IPs : whiteips
IPSet White List Nets : whitenets
RFC1918 White List : YES
Dynamic list : Enabled
IPSet Dynamic Age : 14
IPSet Dynamic List : dynamiclist
Black list : Disabled
VoIP Black List : Disabled
Geo Block list : Disabled


Generating White List from IP List 'ViciWhite'...
Found 8 entires to process
Adding FLUSH for white list
Adding RFC1918 IPs to white lists
Writing IPSet rule files to /tmp//VB-WHITE-tmp and /tmp//VB-WHITENET-tmp
Loading white list IPSet rules into Kernel
White List had been loaded!

Generating Dynamic IP List rules...
Looking for valid web logins within the last 14 days
Adding FLUSH for dynamic lists
Writing IPSet rule file to /tmp//VB-DYNAMIC-tmp
Loading dynamic list IPSet rules into kernel
Dynamic List had been loaded!

Re: Another app is currently holding the xtables lock

PostPosted: Fri Apr 24, 2020 8:00 pm
by Kumba
Can you post the crontab entry you are using and the command you're trying to run after? I'll see if I can duplicate the issue.

Re: Another app is currently holding the xtables lock

PostPosted: Sat Apr 25, 2020 7:28 am
by dspaan
This is what i have in crontab:

* * * * * /usr/local/bin/VB-firewall.pl --dynamic --white --flush --quiet


Example of a command:

firewall-cmd --permanent --zone=public --add-port=22/tcp
firewall-cmd --reload

Re: Another app is currently holding the xtables lock

PostPosted: Sat May 30, 2020 3:04 am
by dspaan
Did you get a chance to reproduce this?

Right now i have already had two servers where the SSL certificate failed to renew because we can't open the firewall ports because of the VB firewall cronjob holding the X tables lock.

Re: Another app is currently holding the xtables lock

PostPosted: Sun Jan 16, 2022 6:40 pm
by dspaan
I forgot to post back on this old issue because at some point i contacted vicidial support and the fix was:

The VB-firewall.pl script needs to have the two instances of "iptables -L" changed to "iptables -L -w -n" to resolved the issue.