Skip to main content
Knowledge Base
linbit.com linbit.com Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Knowledge Base Topics
  2. /
  3. Generic Linux Tips and Tricks
  4. /
  5. Networking
  6. /
  7. Resolving `iptables` Version Incompatibility Issues With the `portblock` Resource Agent

Resolving `iptables` Version Incompatibility Issues With the `portblock` Resource Agent

For some versions of Linux, the iptables utility might be incompatible with the OCF portblock resource agent. This is a known incompatibility between iptables version 1.8.9 (and some 1.8.10 versions) and the portblock resource agent.

At the time of writing, the versions of Linux distributions that are known to be affected by this issue are:

  • Debian 12
  • Proxmox VE (extension of Debian)
  • Ubuntu 24.04 LTS

Symptoms of the issue

The incompatibility issue between some versions of iptables and the portblock resource agent might show up in a high-availability deployment as:

  • Resource “flapping” behavior between the hosting nodes, that is, DRBD Reactor (or another cluster resource manager) might attempt to continually promote resources on various nodes, yet always fail to promote the iSCSI or NFS services due to the portblock incompatibility.
  • You might also experience an inability to connect to a promoted NFS or iSCSI resource, for example, in LINSTOR Gateway deployments.

Determining if your system is affected

To determine if your system is affected by the iptables incompatibility issue, your can run a script. Running the following script creates a dummy iptables rule, checks that the protocol output is human-readable (system is not affected) or numeric (system is affected), then deletes the dummy rule.

#!/bin/bash

iptables -A OUTPUT -d 1.2.3.4 -j LOG -p tcp

case $(iptables -nL | awk '/^LOG/ && /1\.2\.3\.4/ { print $2 }') in
        tcp) echo "not affected" ;;
        6)   echo "affected"     ;;
        *)   echo "test failed"  ;;
esac

iptables -D OUTPUT -d 1.2.3.4 -j LOG -p tcp

IMPORTANT: You will need to run the script as root or else from a privileged user account and prefaced with sudo.

Fixing the issue

If your currently installed iptables version is greater than or equal to 1.8.11, or your OCF resource-agents version is greater than or equal to 4.14.0, you do not need to do anything.

This incompatibility issue was fixed in iptables version 1.8.10-124-g34f085b1. Until the Linux distribution on which you might face this issue updates the version of the iptables utility available in its package repositories, you need to update the portblock resource agent to a patched version that works around the iptables incompatibility issue.

Instructions for fixing the issue on DEB-based systems

  1. Check for available versions of iptables: 
    apt update && apt-cache madison iptables
  2. If the output shows that an iptables version 1.8.11 or newer is unavailable, download the latest (patched) version of the portblock resource agent from upstream: 
    wget -O /usr/lib/ocf/resource.d/heartbeat/portblock \
  https://raw.githubusercontent.com/ClusterLabs/resource-agents/main/heartbeat/portblock

Eventually, after an iptables version equal to or greater than v1.8.11 becomes available in the package repositories for affected Linux versions, this workaround will no longer be necessary.

Written by MAT, 2025-06-26.

Reviewed by CB, 2025-08-05.