diff options
| author | Dmitry Ilvokhin <d@ilvokhin.com> | 2026-01-04 15:59:47 +0000 |
|---|---|---|
| committer | Dmitry Ilvokhin <d@ilvokhin.com> | 2026-01-04 15:59:47 +0000 |
| commit | d83d53c7e8e5c218dd19ef9a0cfe3941820fdf96 (patch) | |
| tree | e999db8254211d10ad400162b41339b460089c19 | |
| parent | b6c70ab314b7ab6dd94cc7b796b67f89f3e5ea50 (diff) | |
| download | infra-d83d53c7e8e5c218dd19ef9a0cfe3941820fdf96.tar.gz infra-d83d53c7e8e5c218dd19ef9a0cfe3941820fdf96.tar.bz2 infra-d83d53c7e8e5c218dd19ef9a0cfe3941820fdf96.zip | |
Wait for /run/xtables.lock for wireguard rules
When box is restarted seems like there is a race to take iptables lock
file and some units can not start because of that.
In the log error looks like this.
Can't lock /run/xtables.lock: Resource temporarily unavailable
Another app is currently holding the xtables lock. Perhaps you want
to use the -w option?
Take iptables suggestion and wait for the xtables lock.
Downside is if something is not going to release the lock, then we stall
forever.
| -rw-r--r-- | roles/wgtor/templates/wgtor0.conf.j2 | 8 | ||||
| -rw-r--r-- | roles/wgvpn/templates/wgvpn0.conf.j2 | 6 |
2 files changed, 7 insertions, 7 deletions
diff --git a/roles/wgtor/templates/wgtor0.conf.j2 b/roles/wgtor/templates/wgtor0.conf.j2 index 6acb081..d535967 100644 --- a/roles/wgtor/templates/wgtor0.conf.j2 +++ b/roles/wgtor/templates/wgtor0.conf.j2 @@ -6,10 +6,10 @@ ListenPort = 51822 # See for source of iptables rules. # https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy -PostUp = iptables -t nat -A PREROUTING -i %i -p udp --dport 53 -j REDIRECT --to-ports 5353 -PostUp = iptables -t nat -A PREROUTING -i %i -p udp --dport 5353 -j REDIRECT --to-ports 5353 -PostUp = iptables -t nat -A PREROUTING -i %i -p tcp --syn -j REDIRECT --to-ports 9040 -PostUp = iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040 +PostUp = iptables --wait -t nat -A PREROUTING -i %i -p udp --dport 53 -j REDIRECT --to-ports 5353 +PostUp = iptables --wait -t nat -A PREROUTING -i %i -p udp --dport 5353 -j REDIRECT --to-ports 5353 +PostUp = iptables --wait -t nat -A PREROUTING -i %i -p tcp --syn -j REDIRECT --to-ports 9040 +PostUp = iptables --wait -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040 PostDown = iptables -t nat -D PREROUTING -i %i -p udp --dport 53 -j REDIRECT --to-ports 5353 PostDown = iptables -t nat -D PREROUTING -i %i -p udp --dport 5353 -j REDIRECT --to-ports 5353 diff --git a/roles/wgvpn/templates/wgvpn0.conf.j2 b/roles/wgvpn/templates/wgvpn0.conf.j2 index d70832c..090d4b2 100644 --- a/roles/wgvpn/templates/wgvpn0.conf.j2 +++ b/roles/wgvpn/templates/wgvpn0.conf.j2 @@ -3,9 +3,9 @@ PrivateKey = {{ wireguard_private_key }} Address = 10.0.1.1/24 ListenPort = 51821 -PostUp = iptables -A FORWARD -i %i -j ACCEPT -PostUp = iptables -A FORWARD -o %i -j ACCEPT -PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostUp = iptables --wait -A FORWARD -i %i -j ACCEPT +PostUp = iptables --wait -A FORWARD -o %i -j ACCEPT +PostUp = iptables --wait -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT PostDown = iptables -D FORWARD -o %i -j ACCEPT |