From d83d53c7e8e5c218dd19ef9a0cfe3941820fdf96 Mon Sep 17 00:00:00 2001 From: Dmitry Ilvokhin Date: Sun, 4 Jan 2026 15:59:47 +0000 Subject: Wait for /run/xtables.lock for wireguard rules When box is restarted seems like there is a race to take iptables lock file and some units can not start because of that. In the log error looks like this. Can't lock /run/xtables.lock: Resource temporarily unavailable Another app is currently holding the xtables lock. Perhaps you want to use the -w option? Take iptables suggestion and wait for the xtables lock. Downside is if something is not going to release the lock, then we stall forever. --- roles/wgtor/templates/wgtor0.conf.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'roles/wgtor') diff --git a/roles/wgtor/templates/wgtor0.conf.j2 b/roles/wgtor/templates/wgtor0.conf.j2 index 6acb081..d535967 100644 --- a/roles/wgtor/templates/wgtor0.conf.j2 +++ b/roles/wgtor/templates/wgtor0.conf.j2 @@ -6,10 +6,10 @@ ListenPort = 51822 # See for source of iptables rules. # https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy -PostUp = iptables -t nat -A PREROUTING -i %i -p udp --dport 53 -j REDIRECT --to-ports 5353 -PostUp = iptables -t nat -A PREROUTING -i %i -p udp --dport 5353 -j REDIRECT --to-ports 5353 -PostUp = iptables -t nat -A PREROUTING -i %i -p tcp --syn -j REDIRECT --to-ports 9040 -PostUp = iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040 +PostUp = iptables --wait -t nat -A PREROUTING -i %i -p udp --dport 53 -j REDIRECT --to-ports 5353 +PostUp = iptables --wait -t nat -A PREROUTING -i %i -p udp --dport 5353 -j REDIRECT --to-ports 5353 +PostUp = iptables --wait -t nat -A PREROUTING -i %i -p tcp --syn -j REDIRECT --to-ports 9040 +PostUp = iptables --wait -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040 PostDown = iptables -t nat -D PREROUTING -i %i -p udp --dport 53 -j REDIRECT --to-ports 5353 PostDown = iptables -t nat -D PREROUTING -i %i -p udp --dport 5353 -j REDIRECT --to-ports 5353 -- cgit v1.2.3-70-g09d2