Failed to start CSF and lfd

13 posts Page 1 of 2
saeedashour
Junior Member
Posts: 1
Joined: 18 Oct 2016, 09:49


Greetings,

CSF is having this error when it was restarted


Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Error: iptables command [/sbin/iptables -v -I SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -j LOGDROPOUT] failed, at line 870

what could went wrong in csf configuration?
ForumAdmin
Moderator
Posts: 1433
Joined: 01 Oct 2008, 09:24


It means pretty much what it says, another process has locked iptables by running an iptables command. You need to find that process and stop it.
pixelpadre
Junior Member
Posts: 3
Joined: 09 Jul 2016, 13:01


Hello

I am having the same problem this morning and I have no idea how to find the source of the problem. Is there anyone who can point me in the right direction?
Thanks

Here is the status file:

● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled)
Active: failed (Result: timeout) since Sun 2017-06-18 00:02:44 UTC; 13h ago
Process: 10834 ExecStart=/usr/sbin/lfd (code=killed, signal=TERM)
Main PID: 18926 (code=killed, signal=KILL)
CGroup: /system.slice/lfd.service

Jun 18 00:01:14 myserver.us systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Jun 18 00:02:44 myserver.us systemd[1]: lfd.service start operation timed out. Terminating.
Jun 18 00:02:44 myserver.us systemd[1]: Failed to start ConfigServer Firewall & Security - lfd.
Jun 18 00:02:44 myserver.us systemd[1]: Unit lfd.service entered failed state.
Jun 18 00:02:44 myserver.us systemd[1]: lfd.service failed.

Here is the error:

Error: Error processing command for line [740] (6 times): [Another app is currently holding the xtables lock. Perhaps you want to use the -w option?], at line 740 in /usr/sbin/csf
yorodriguez
Junior Member
Posts: 15
Joined: 04 Jan 2017, 09:29


Same issue here.

# cat /etc/csf/csf.error
Error: Error processing command for line [3186] (6 times): [Another app is currently holding the xtables lock. Perhaps you want to use the -w option?], at line 3186 in /usr/sbin/csf

I think that /usr/sbin/csf should use "-w" to avoid this problem:

From iptables man:

-w, --wait [seconds]
Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot
be obtained. This option will make the program wait (indefinitely or for optional seconds) until the exclusive lock can be obtained.
pixelpadre
Junior Member
Posts: 3
Joined: 09 Jul 2016, 13:01


-w does not make a difference. I need to find a reliable alternative to this headache.
yorodriguez
Junior Member
Posts: 15
Joined: 04 Jan 2017, 09:29


23 Jun 2017, 21:53pixelpadre wrote:
-w does not make a difference. I need to find a reliable alternative to this headache.
How did you use "-w"? DId you modified "/usr/sbin/csf" script?
pixelpadre
Junior Member
Posts: 3
Joined: 09 Jul 2016, 13:01


I used it from shell when I tried to restart, stop, or start csf
yorodriguez
Junior Member
Posts: 15
Joined: 04 Jan 2017, 09:29


"-w" option is for using in iptables commands. This should be modified inside csf scripts.

Anyway as a temporaly fix, I found that if we disable some of the blocklists and CC_DENY countries the issue does not happen. It seems that csf does not work well with large iptables list.
babenito
Junior Member
Posts: 10
Joined: 06 Sep 2016, 15:11


I've an issue like yours: viewtopic.php?f=6&t=10353

And looks like the countries lists are the problem, but for some reason it works perfect on CentOS 6 with cPanel. For me the problem happens only in CentOS 7 with cPanel.

Have you been able to find a solution without disabling the blocklists/denied countries?
yorodriguez
Junior Member
Posts: 15
Joined: 04 Jan 2017, 09:29


17 Aug 2017, 14:20babenito wrote:
Have you been able to find a solution without disabling the blocklists/denied countries?
Enable IPSET.
13 posts Page 1 of 2