Symptoms
The CSF service will not start due to the following error:
csf: Error: FASTSTART: (CC_DENY [tz] IPv4) [] [Another app is currently holding the xtables lock.
Perhaps you want to use the -w option?]. Try restarting csf with FASTSTART disabled, at line 5781 in /usr/sbin/csf
Description
This error is most likely being returned when you try to start CSF because certain IPtables rules cannot be added in the current state of IPtables. This exact error means that a certain country code is not able to be added to the block list. However, we can bypass this error by enabling the overall CSF timeout (WAITLOCK) or having CSF start slower. Disabling "FASTSTART" requires CSF to take more time to start up and load its rules. However, this may be required in some circumstances.
Workaround
First Method
Configserver has a knowledgebase article suggesting what to do if encountering this error. They suggest to edit the file /etc/csf/csf.conf and set the value for "WAITLOCK" to 1. As done below:
WAITLOCK = "1"
Then you can attempt to restart CSF using the command below:
systemctl restart csf.service
Second Method:
Alternatively, you can disable "FASTSTART" for CSF using the steps shown in the article here:
CSF Service Not Starting When The FASTSTART option Is Enabled