Firewall failing to start

brogos · February 28, 2021, 9:12pm

Hi all, the firewall systemd service is failing to start. This is the log:

❯ journalctl -u firewall.service -b 
-- Journal begins at Sat 2021-01-23 17:29:32 -03, ends at Sun 2021-02-28 18:02:51 -03. --
fev 28 16:44:08 watchmen systemd[1]: Starting Firewall...
fev 28 16:44:08 watchmen firewall-start[1509]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
fev 28 16:44:08 watchmen systemd[1]: firewall.service: Main process exited, code=exited, status=4/NOPERMISSION
fev 28 16:44:08 watchmen systemd[1]: firewall.service: Failed with result 'exit-code'.
fev 28 16:44:08 watchmen systemd[1]: Failed to start Firewall.

I use flakes and my configuration are stored here GitHub - tfmoraes/nixoscfg. The options related to firewall I have are:

Enable firewall

    firewall = {
      enable = true;
    };

Open ports to Dropbox.

  networking.firewall = {
    allowedTCPPorts = [ 17500 ];
    allowedUDPPorts = [ 17500 ];
  };

sorki · February 28, 2021, 9:27pm

Both docker and podman are playing with iptables and if timed right, it results in race condition that can cause firewall.service to fail. I’ve managed to hit this with virtualisation.oci-containers recently.

brogos · February 28, 2021, 10:01pm

This explains if I restart the firewall service it starts correctly.

nixinator · March 2, 2021, 4:16am

I don’t like the fact that the OS , podman and docker are racing…

Nix/OS is trying to be operating system, and podman and docker are trying to be operating systems too.

Who will win?

might be of interest, but your probably going to have to set the docker internal:external port mapping rules yourself. Personally the less you get docker messing with your subsystem the better.