On Thu, Feb 9, 2017 at 12:47 PM, Raphael Bauduin <rbli...@gmail.com> wrote:
>
>
> On Wed, Jan 25, 2017 at 9:35 AM, Raphael Bauduin <rbli...@gmail.com>
> wrote:
>
>>
>>
>> On Wed, Jan 25, 2017 at 1:50 AM, Tom Eastep <teas...@shorewall.net>
>> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> On 01/24/2017 03:40 AM, Raphael Bauduin wrote:
>>> > Hi,
>>> >
>>> > I'm running shorewall 5.0.14.1 on centos 7.3.1611, and I have
>>> > enabled docker in shorwall.conf:
>>> >
>>> > # grep DOCKER shorewall.conf DOCKER=Yes
>>> >
>>> > I have defined a zone for docker:
>>> >
>>> > # grep dock * interfaces:dock docker0 bridge policy:dock all
>>> > REJECT info zones:dock ipv4
>>> >
>>> > when I start shorewall, there is no DOCKER chain created:
>>> >
>>> > # iptables -t nat -L | grep -i docker | wc -l 0
>>> >
>>> > From my undestanding it should have been created. Am I wrong or am
>>> > I doing something wrong?
>>> >
>>>
>>> Shorewall only (re-)creates the chain if it exists before the
>>> (re-)start or reload.
>>
>>
>> OK, thanks. I got in a situation where the DOCKER chain was absent. I
>> think it was following a shorewall restore at boot when docker was already
>> started.
>> In that case, starting a container failed because docker expected the
>> chain to be present, but it wasn't as the restore from shorewall had
>> removed it.
>>
>>
> Hi,
>
> shorewall restart (or stop and start) seems to loose the DOCKER rules:
>
> # shorewall forget
> # systemctl restart docker
> # iptables -L -n | grep DOCKER
> DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0
> DOCKER all -- 0.0.0.0/0 0.0.0.0/0
> Chain DOCKER (1 references)
> Chain DOCKER-ISOLATION (1 references)
> # shorewall restart > /tmp/out
> WARNING: The LEGACY_FASTSTART configuration option is no longer
> supported /etc/shorewall/shorewall.conf (line 171)
> WARNING: The IPSECFILE configuration option is no longer supported
> /etc/shorewall/shorewall.conf (line 274)
> # iptables -L -n | grep DOCKER
>
>
> Is there a way to restart shorewall and keep the DOCKER chains?
>
>
>
Am I doing something completely stupid here? I thought it was supposed to
work and recreate the DOCKER chains. Please let me know, thanks.
>
> Thanks
>
>
>
>
>> Raphaƫl
>>
>
>
>
> --
> Web database: http://www.myowndb.com
> Free Software Developers Meeting: http://www.fosdem.org
>
--
Web database: http://www.myowndb.com
Free Software Developers Meeting: http://www.fosdem.org
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
