51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落
当前位置:工具盒子 > 开发笔记 > 正文

Centos7下iptables重启时提示xtables占用导致无法正常启动

2024-11-19 分类:开发笔记 阅读(0) 评论(0)

概述

在项目中执行初始化脚本时遇到重启iptables服务时卡住,且长时间无响应。以下为状态信息:

[root@localhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: activating (start) since 五 2022-03-25 17:24:19 CST; 1min 11s ago
 Main PID: 142965 (iptables.init)
    Tasks: 2
   CGroup: /system.slice/iptables.service
           ├─142965 /bin/bash /usr/libexec/iptables/iptables.init start
           └─142972 iptables-restore --wait 600 /etc/sysconfig/iptables

3月 25 17:24:19 localhost.localdomain systemd\[1\]: Starting IPv4 firewall with iptables...
3月 25 17:24:28 localhost.localdomain iptables.init\[142965\]: iptables: Applying firewall rules: Another app is currently holding the xtables lock; still 591s 0us time ahead to have a chance to grab the lock...
3月 25 17:24:38 localhost.localdomain iptables.init\[142965\]: Another app is currently holding the xtables lock; still 581s 0us time ahead to have a chance to grab the lock...
3月 25 17:24:48 localhost.localdomain iptables.init\[142965\]: Another app is currently holding the xtables lock; still 571s 0us time ahead to have a chance to grab the lock...
3月 25 17:24:58 localhost.localdomain iptables.init\[142965\]: Another app is currently holding the xtables lock; still 561s 0us time ahead to have a chance to grab the lock...
3月 25 17:25:08 localhost.localdomain iptables.init\[142965\]: Another app is currently holding the xtables lock; still 551s 0us time ahead to have a chance to grab the lock...
3月 25 17:25:18 localhost.localdomain iptables.init\[142965\]: Another app is currently holding the xtables lock; still 541s 0us time ahead to have a chance to grab the lock...
3月 25 17:25:28 localhost.localdomain iptables.init\[142965\]: Another app is currently holding the xtables lock; still 531s 0us time ahead to have a chance to grab the lock...
\[root@localhost \~\]# systemctl status ip6tables
● ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled)
Active: activating (start) since 五 2022-03-25 14:50:24 CST; 2h 38min ago
Main PID: 139499 (ip6tables.init)
Tasks: 2
CGroup: /system.slice/ip6tables.service
├─139499 /bin/bash /usr/libexec/iptables/ip6tables.init start
└─139510 ip6tables-restore --wait 600 /etc/sysconfig/ip6tables

`3月 25 14:50:24 localhost.localdomain systemd[1]: Starting IPv6 firewall with ip6tables...
3月 25 14:50:25 localhost.localdomain ip6tables.init[139499]: ip6tables: Applying firewall rules: Warning: never matched protocol: 51. use extension match instead.`

问题引起疑似因firewalld服务移除nf_conntrack模块夯住导致。
模块/proc/net/nf_conntrack不存在,重启系统后恢复。

解决办法

[root@localhost ~]# lsof -n 2>/dev/null | grep /run/xtables.lock
ip6tables 139510                  root    4rW     REG               0,20         0      99282 /run/xtables.lock
iptables- 142972                  root    4r      REG               0,20         0      99282 /run/xtables.lock
[root@localhost ~]# ps aux|grep iptables
root     139499  0.0  0.0 115592  1996 ?        Ss   14:50   0:00 /bin/bash /usr/libexec/iptables/ip6tables.init start
root     142965  0.0  0.0 115592  1944 ?        Ss   17:24   0:00 /bin/bash /usr/libexec/iptables/iptables.init start
root     142972  0.0  0.0  16264   768 ?        S    17:24   0:00 iptables-restore --wait 600 /etc/sysconfig/iptables
root     143074  0.0  0.0 112728   976 pts/3    S+   17:27   0:00 grep --color=auto iptables
[root@localhost ~]# lsof -n 2>/dev/null | grep /run/xtables.lock
ip6tables 139510                  root    4rW     REG               0,20         0      99282 /run/xtables.lock
iptables- 142972                  root    4r      REG               0,20         0      99282 /run/xtables.lock
[root@localhost ~]# kill 142972
[root@localhost ~]# kill 139510
验证
[root@localhost ~]# lsof -n 2>/dev/null | grep /run/xtables.lock
[root@localhost ~]# systemctl start ip6tables
[root@localhost ~]# systemctl status ip6tables
● ip6tables.service - IPv6 firewall with ip6tables
   Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled)
   Active: active (exited) since 五 2022-03-25 17:29:23 CST; 3s ago
  Process: 143114 ExecStart=/usr/libexec/iptables/ip6tables.init start (code=exited, status=0/SUCCESS)
 Main PID: 143114 (code=exited, status=0/SUCCESS)

3月 25 17:29:23 localhost.localdomain systemd\[1\]: Starting IPv6 firewall with ip6tables...
3月 25 17:29:23 localhost.localdomain ip6tables.init\[143114\]: ip6tables: Applying firewall rules: Warning: never matched protocol: 51. use extension match instead.
3月 25 17:29:23 localhost.localdomain ip6tables.init\[143114\]: \[  确定  \]
3月 25 17:29:23 localhost.localdomain systemd\[1\]: Started IPv6 firewall with ip6tables.
\[root@localhost \~\]# systemctl start iptables
\[root@localhost \~\]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since 五 2022-03-25 17:29:35 CST; 13s ago
Process: 143244 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 143244 (code=exited, status=0/SUCCESS)

`3月 25 17:29:35 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
3月 25 17:29:35 localhost.localdomain iptables.init[143244]: iptables: Applying firewall rules: [  确定  ]
3月 25 17:29:35 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.`

参考内容

参考自:https://cdn.f5.com/product/bugtracker/ID885373.html

There are four possible workarounds:

=======


-- \[root:Active:Disconnected\] config # lsof -n 2\>/dev/null \| grep /run/xtables.lock
iptables  14009            root    3rW     REG               0,20          0      26415 /run/xtables.lock


root     13945  0.5  0.3 163992 29216 ?        S    19:58   0:00  \|   _ /usr/bin/mgmt_acld -do -m
root     14009  0.0  0.0  24900  1360 ?        S    19:58   0:00  \|       _ /sbin/iptables -xvL f5acl


\^\^\^ xtables.lock held by iptables which is being run by mgmt_acld


\[root:Active:Disconnected\] config # bigstart stop mgmt_acld
\[root:Active:Disconnected\] config # killall iptables


\^\^\^ stop mgmt_acld, and kill iptables


\[root:Active:Disconnected\] config # lsof -n 2\>/dev/null \| grep /run/xtables.lock
\[root@blpv0678:Active:Disconnected\] config #


\^\^\^ verify the lock is gone


perform the merge and the rules are loaded. Make sure to restart mgmt_acld afterwards.


=======


-- Reboot after every management firewall rule that is created.


=======


-- Manually clear the iptables lock then make your changes




1. Run: rm -rf /run/xtables.lock


2. Then make your changes




=======


-- If the changes have already been made, Manually clear the iptables lock, then run load sys config.

`
`
* Run: rm -rf /run/xtables.lock


* `Then Run: tmsh load sys config`
赞(0)
未经允许不得转载:工具盒子 » Centos7下iptables重启时提示xtables占用导致无法正常启动
标签:

厉飞雨

众生皆苦,唯有自渡!

相关推荐

最新文章

猜你喜欢

快捷分类

云服务器 日常运维 在线免费 开源工具 科学上网 开发笔记 区块链 白嫖帮 新视野 人工智能 网赚思路 Python笔记 Php笔记 Java笔记 链知识 币知识 IOS笔记 Android笔记 Mysql C语言笔记 前端开发 R笔记 Go笔记 mybatis笔记 Golang笔记 数据库 市场营销 软件教程 vps Rust笔记 软件使用 经验分享 Stable Diffusion chatgpt Midjourney 操作系统 Photoscape 加密货币 挖矿 Coze Meta 网络安全 网络运营 开源软件 Github ComfyUI 数字人 Docker笔记 Claude Oracle web3 linux windows mac redis git笔记 nginx kafka maven spring RocketMQ Zabbix ubuntu centos kubesphere ffmpeg jenkins hbase JavaScript笔记 WordPress nginx Hadoop vuejs mongo SQL Server PostgreSQL SQLite ElasticSearch Spark netty zookeeper RabbitMQ ClickHoust cocos2d gradle tomcat Markdown MinIO react Hexo git intellij idea android studio svn C++ spdlog nodejs C WordPress 宝塔面板 vim shell logstash 软件渗透 NeoDB CSS3 HTML Lua笔记 数据算法 嵌入式 debian 红帽RHEL Neo4j