FW3[BUG]: overwrite ipset name error Openwrt r11105-e39d1cf

xiaobo · September 24, 2019, 3:14pm

@jow I get error (Openwrt r11105-e39d1cf)

iptables -t nat -A set_output -m set --match-set $vt_np_ipset dst -j RETURN

Tue Sep 24 22:45:38 2019 daemon.notice procd:  Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Tue Sep 24 22:45:38 2019 daemon.info pppd[1987]: Renamed interface ppp0 to pppoe-wan

https://git.openwrt.org/?p=project/firewall3.git;a=blobdiff;f=ubus.c;h=cf5c8b103d72a9b9f59d764d29e8c09ad64e35a5;hp=bea91665c828f408eb655315140471e15cfdf4e9;hb=383eb58f1750b3b96a82558b5dcb806a8a2528bc;hpb=c26f8907d1d2921018240774b75cf9cfda352fa7

jow · September 25, 2019, 1:17pm

And? Its not related to the linked commit.

xiaobo · September 25, 2019, 1:38pm

iptables -t nat -A set_output -m set --match-set $vt_np_ipset dst -j RETURN
Related to fixing this（https://forum.openwrt.org/t/fw3-ipset-config-to-procd-objects/44044/8）, but introducing a new bug：-（

jow · September 25, 2019, 2:08pm

Try using the -w flag?

xiaobo · September 25, 2019, 2:55pm

iptables -w ??
@jow Where is the -w parameter used? Please specify, thank you.

lleachii · September 25, 2019, 5:10pm

What bug?
Did you try -w?

From http://ipset.netfilter.org/iptables.man.html -

-w , --wait [ seconds ]

Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This option will make the program wait (indefinitely or for optional seconds ) until the exclusive lock can be obtained.

Also - I've noted before, it may help if you provide more details in your original postings.

xiaobo · September 26, 2019, 12:19am

Still cannot overwrite ipset name attribute with -w
Revert it won't have a minus -w problem
https://git.openwrt.org/?p=project/firewall3.git;a=blobdiff;f=ubus.c;h=cf5c8b103d72a9b9f59d764d29e8c09ad64e35a5;hp=bea91665c828f408eb655315140471e15cfdf4e9;hb=383eb58f1750b3b96a82558b5dcb806a8a2528bc;hpb=c26f8907d1d2921018240774b75cf9cfda352fa7

jow · September 26, 2019, 8:52am

I do not understand what your issue is about. Also overriding ipset names has nothing to do with -w. It is unclear what you do and why it fails.

Where and when do you execute iptables -t nat -A set_output -m set --match-set $vt_np_ipset dst -j RETURN ? From hotplug? From firewall user?
Does it work with iptables -w 3 -t nat -A set_output -m set --match-set $vt_np_ipset dst -j RETURN?

Please try to invest at least a little bit of effort in describing your issue if you already ping me directly and cross post on all possible channels.

xiaobo · September 26, 2019, 3:03pm

Sorry for that, I will test it carefully and find out the problem，thx.

system · October 6, 2019, 3:08pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.