Ok so the "original" rules (sans-shorewall) contain a plethora of docker-related and libvirt-related rules (attached). In my ruleset I do reference the virtual bridge device virbr0, so perhaps that's where the mixup is happening.
What seems to actually be happening is that *ONE* libvirt chain is preserved for further processing by shorewall (LIBVIRT_PRT, in mangle), when it shouldn't. The other libvirt chains seem to be getting clobbered correctly and replaced with shorewall rules which reference the same device. It's entirely possible that the upgrade brought along a version of libvirt which added that chain and that's where the problem is coming from. As ever, I'll defer to you guys if you think this can be solved some other way. Is there a way to tell shorewall to keep/ignore specific chains (i.e. to tell it to ignore ALL the libvirt stuff)? Cheers! -- *Diego Rivera* On Sat, Feb 15, 2020 at 6:48 PM Tom Eastep <teas...@shorewall.net> wrote: > On 2/15/20 4:30 PM, Diego Rivera wrote: > > Ok sorry for the noise. > > > > I have a better feel for why running things twice with "debug" enabled > > appeared to be working. Turns out that the first invocation with "debug" > > fails as expected, but also fails to restore the rules that were > > originally present when shorewall was invoked (i.e. the > > "bad/incompatible" docker/libvirt rules). Thus, when run the 2nd time, > > things apparently succeed because these rules aren't present, and thus > > there's nothing there for shorewall to trip over and explode. > > > > So the bug seems to be the fact that using debug clobbers and fails to > > restore the previous rules. > > > > That doesn't solve my problem, though. I'm still perusing through Google > > and have yet to find a similar situation. It seems to me that some of > > the libvirt-generated rules should be given treatment similar to the > > docker rules. I'm not sure how this was done previously other than the > > fact that everything worked as intended and I never bothered to audit > > what was being done. > > > > Any insights or suggestions will be greatly appreciated. > > > > Shorewall has *never* had any integration with libvirt, so I am at a > loss to explain how this ever worked (how the failing rule ever worked). > Also, Shorewall's Docker integration is based on older versions of > Docker so upgrading Docker can also result in problems. > > -Tom > -- > Tom Eastep \ Q: What do you get when you cross a mobster > Shoreline, \ with an international standard? > Washington, USA \ A: Someone who makes you an offer you > http://shorewall.org \ can't understand > \________________________________________ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
iptables-save
Description: Binary data
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
