Package: iptables Version: 1.4.18-1 Severity: normal Hi,
in some cases iptables fails with "resource temporarily unavailable". I think this could be the case if two scripts try to insert rules nearly simultaneously. In my setup I could repeat this behaviour on boot-time with - libvirt auto-starting the default nat network - lxc auto-starting a guest which has an network.up script inserting some rules Although lxc and libvirt are run one after another by SysV (lxc has S17 and libvirt S18) this leads to the above mentioned collision, resulting in missing rules without any clear message about that. If you like to repeat my steps: - setup a clean wheezy - install iptables, lxc and libvirt-bin - enable autostarting the default networt with "virsh net-autostart default" - enable the default network with "virsh net-start default" - enable verbose logging for libvirt by adding -v to libvirtd_opts in /etc/default/libvirt-bin - restart libvirt with "/etc/init.d/libvirt-bin restart" - mount cgroups by adding "cgroup /sys/fs/cgroup cgroup defaults 0 0" to fstab and execute "mount -a" - create a sample lxc config as /root/test.cfg with content: lxc.network.type = veth lxc.network.flags = up lxc.network.link = virbr0 lxc.network.script.up = /usr/local/sbin/lxc_net_up.sh - create the script /usr/local/sbin/lxc_net_up.sh with content: #sleep 3 /sbin/iptables -v -I FORWARD -m state -d 192.168.123.10 -p tcp --state NEW,RELATED,ESTABLISHED -j ACCEPT &> /tmp/ipt /sbin/iptables -v -I FORWARD -m state -d 192.168.124.10 -p tcp --state NEW,RELATED,ESTABLISHED -j ACCEPT &>> /tmp/tpt - make it executable with "chmod +x /usr/local/sbin/lxc_net_up.sh" - install test conainter with "lxc-create -n test -t debian -f /root/test.cfg" and choose squeeze with default options - configure autostarting the container with "ln -s /var/lib/lxc/test/config /etc/lxc/auto/test" - reboot the system - check if if both test rules and the default libvirt rules are in the FORWARD table: "iptable -L" - if not have a look at /tmp/ipt and /var/log/libvirt/libvirtd.log The results are the same if you add the unstable repository to sources.list and update the packages. In my case sometimes the test rules were missing (without any message in /tmp/ipt) and sometimes the libvirt rules and/or some test rules were missing - like in this case: root@wheezy-base:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere 192.168.124.10 state NEW,RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination root@wheezy-base:~# In /var/log/libvirt/libvirtd.log I got messages like 2013-06-13 10:17:17.333+0000: 2518: error : virCommandWait:2351 : internal error Child process (/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT) unexpected exit status 4: iptables: Resource temporarily unavailable. 2013-06-13 10:17:17.349+0000: 2518: error : networkAddMasqueradingIptablesRules:1582 : failed to add iptables rule to allow forwarding to 'virbr0' The file /tmp/ipt was empty, although one of the test rules was missing as well... As you might have seen I included a commented "sleep 3" in the /usr/local/sbin/lxc_net_up.sh script. If you uncomment this, so that the iptables calls are delayed, the rule insertion works as expected. I would expect that iptables itself waits for any insertions and then executes the next requests instead of failing (sometimes even silently). Best regards, Frank -- System Information: Debian Release: jessie/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.9-1-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages iptables depends on: ii libc6 2.17-5 ii libnfnetlink0 1.0.1-2 ii libxtables10 1.4.18-1 iptables recommends no packages. iptables suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
