On 05/21/2016 10:35 PM, Roberto C. Sánchez wrote: > I am starting to experiment with Docker on a Linode host. I am running > Docker 1.6 (from jessie-backports) and Shorewall 5.0.7.2. I followed > the HOWTO on shorewall.org for getting Shorewall setup to interact > properly with Docker. > > However, whenever I reboot my host, I see a console message that > Shorewall failed to start. The log shows this: > > May 22 01:28:57 node01 shorewall[388]: Running /sbin/iptables-restore... > May 22 01:28:57 node01 shorewall[388]: iptables-restore v1.4.21: Couldn't > load target `DOCKER':No such file or directory > May 22 01:28:57 node01 shorewall[388]: Error occurred at line: 29 > May 22 01:28:57 node01 shorewall[388]: Try `iptables-restore -h' or > 'iptables-restore --help' for more information. > May 22 01:28:57 node01 shorewall[388]: ERROR: /sbin/iptables-restore Failed. > May 22 01:28:57 node01 logger[784]: Shorewall Stopped > May 22 01:28:57 node01 shorewall[388]: Terminated > May 22 01:28:57 node01 systemd[1]: shorewall.service: main process exited, > code=exited, status=143/n/a > May 22 01:28:57 node01 systemd[1]: Failed to start Shorewall IPv4 firewall. > May 22 01:28:57 node01 systemd[1]: Unit shorewall.service entered failed > state. > > I have already tried adding docker.service to the After line under > [Unit] in shorewall.service, but the problem persists. Do I need to > declare the docker0 bridge as option in /etc/shorewall/interfaces? >
It's a bug which manifests itself when Shorewall starts before Docker. Patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 2ce4388..f112b2f 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -649,9 +649,15 @@ sub create_docker_rules() {
add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
- add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
decr_cmd_level( $chainref );
add_commands( $chainref, 'fi' );
+
+ my $outputref;
+ add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
+ incr_cmd_level( $outputref );
+ add_ijump( $outputref, j => 'DOCKER' );
+ decr_cmd_level( $outputref );
+ add_commands( $outputref, 'fi' );
}
add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
