Internet connection sharing fails if xtables.lock is held by another app
If another application holds /run/xtables.lock
while a connection profile with Internet sharing is activated, some of the iptables rules for shared mode may not be added.
In the case we are observing Docker is run at startup and it inserts a set of iptables chains using the --wait
iptables option. If NetworkManager activates a connection profile in shared mode that sometimes may lead to a racing condition since NetworkManager does not wait for the lock to be released. This leads to a random iptables rule not being added which breaks Internet connection sharing.
An easy way for reproducing this manually is doing flock /run/xtables.lock sleep 30
in one terminal and activating a connection profile in shared mode in another terminal. From the journal logs can be seen that all iptables
commands are failing and no rules are being added.
If however a --wait
is added to the _share_iptables_call
macro in nm-firewall-utils.c
then NetworkManager waits for the lock to be released and all the rules are added:
#define _share_iptables_call(...) _share_iptables_call_v(NM_MAKE_STRV(__VA_ARGS__, "--wait"))
Please note that the --wait
option was added in iptables 1.4.20 in 93587a0, so older versions does not support it.