The backend iptables.pm module will only attempt a single iptables operation at a time. However, if some external process is performing an iptables operation the following problems may occur:
iptables.pm:get_table_info|1602| ---- WARNING ----
iptables.pm:get_table_info|1602| 2017-06-23 14:28:25iptables.pm:get_table_info|1602|failed to list rules from 'filter' table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
iptables.pm:get_table_info|1602| /sbin/iptables --list-rules --table filter
iptables.pm:get_table_info|1602| Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
iptables.pm:create_chain|1221| ---- WARNING ----
iptables.pm:create_chain|1221| 2017-06-23 14:28:25iptables.pm:create_chain|1221|failed to create 'vcl-post_load' chain in 'filter' table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
iptables.pm:create_chain|1221| /sbin/iptables --new-chain vcl-post_load --table filter
iptables.pm:create_chain|1221| Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
iptables.pm:_insert_rule|782| ---- WARNING ----
iptables.pm:_insert_rule|782| 2017-06-23 14:28:25iptables.pm:_insert_rule|782|failed to add iptables rule to INPUT chain in filter table on vcl-dc2-98-37.cjmattin, exit status: 4, command:
iptables.pm:_insert_rule|782| /sbin/iptables --insert INPUT --table filter --jump vcl-post_load --match comment --comment "VCL: jump to rules added during the post-load stage (2017-06-23 14:28:25)"
iptables.pm:_insert_rule|782| Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
I have seen this on an image which is using Puppet for additional configuration.
The -w option does this:
-w, --wait [seconds]
Wait for the xtables lock. To prevent multiple instances of the program from running concurrently, an attempt will be made to obtain an exclusive lock at launch. By default, the program will exit if the lock cannot be obtained. This
option will make the program wait (indefinitely or for optional seconds) until the exclusive lock can be obtained.
We cannot simply add the -w option to every iptables command because earlier versions of iptables do not support it. A check for -w option in the output could be added. If it is present, try again with -w.