ConfigServer Community Forum

Greetings,

CSF is having this error when it was restarted


Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Error: iptables command [/sbin/iptables -v -I SMTPOUTPUT -p tcp -m multiport --dports 25,465,587 -j LOGDROPOUT] failed, at line 870

what could went wrong in csf configuration?

It means pretty much what it says, another process has locked iptables by running an iptables command. You need to find that process and stop it.

Hello

I am having the same problem this morning and I have no idea how to find the source of the problem. Is there anyone who can point me in the right direction?
Thanks

Here is the status file:

● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled)
Active: failed (Result: timeout) since Sun 2017-06-18 00:02:44 UTC; 13h ago
Process: 10834 ExecStart=/usr/sbin/lfd (code=killed, signal=TERM)
Main PID: 18926 (code=killed, signal=KILL)
CGroup: /system.slice/lfd.service

Jun 18 00:01:14 myserver.us systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Jun 18 00:02:44 myserver.us systemd[1]: lfd.service start operation timed out. Terminating.
Jun 18 00:02:44 myserver.us systemd[1]: Failed to start ConfigServer Firewall & Security - lfd.
Jun 18 00:02:44 myserver.us systemd[1]: Unit lfd.service entered failed state.
Jun 18 00:02:44 myserver.us systemd[1]: lfd.service failed.

Here is the error:

Error: Error processing command for line [740] (6 times): [Another app is currently holding the xtables lock. Perhaps you want to use the -w option?], at line 740 in /usr/sbin/csf

Same issue here.

# cat /etc/csf/csf.error
Error: Error processing command for line [3186] (6 times): [Another app is currently holding the xtables lock. Perhaps you want to use the -w option?], at line 3186 in /usr/sbin/csf

I think that /usr/sbin/csf should use "-w" to avoid this problem:

From iptables man:

-w, --wait [seconds]
Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot
be obtained. This option will make the program wait (indefinitely or for optional seconds) until the exclusive lock can be obtained.

-w does not make a difference. I need to find a reliable alternative to this headache.

pixelpadre wrote: ↑23 Jun 2017, 21:53 -w does not make a difference. I need to find a reliable alternative to this headache.

How did you use "-w"? DId you modified "/usr/sbin/csf" script?

I used it from shell when I tried to restart, stop, or start csf

"-w" option is for using in iptables commands. This should be modified inside csf scripts.

Anyway as a temporaly fix, I found that if we disable some of the blocklists and CC_DENY countries the issue does not happen. It seems that csf does not work well with large iptables list.

I've an issue like yours: viewtopic.php?f=6&t=10353

And looks like the countries lists are the problem, but for some reason it works perfect on CentOS 6 with cPanel. For me the problem happens only in CentOS 7 with cPanel.

Have you been able to find a solution without disabling the blocklists/denied countries?

babenito wrote: ↑17 Aug 2017, 14:20 Have you been able to find a solution without disabling the blocklists/denied countries?

Enable IPSET.