-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/20/20 1:34 AM, Michael Uray wrote: > > Hi guys, > > > > Shorewall removes for some reason Docker iptable chains like "DOCKER-ISOLATION-STAGE-1" on a Shorewall restart. > > > > root@dk1:~# cat /etc/shorewall/shorewall.conf | grep DOCKER > > DOCKER=Yes > > > > root@dk1:~# iptables -L -v | grep DOCKER > > 5427 2371K DOCKER-USER all -- any any anywhere anywhere > > 5427 2371K DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere > > 0 0 DOCKER all -- any docker0 anywhere anywhere > > 177 10552 DOCKER all -- any br-61206706fa14 anywhere anywhere > > 1615 282K DOCKER all -- any any anywhere anywhere > > Chain DOCKER (3 references) > > Chain DOCKER-USER (1 references) > > Chain DOCKER-ISOLATION-STAGE-1 (1 references) > > 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere > > 432 126K DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14 !br-61206706fa14 anywhere anywhere > > Chain DOCKER-ISOLATION-STAGE-2 (2 references) > > > > systemctl restart shorewall.service > > > > root@dk1:~# iptables -L -v | grep DOCKER > > 124 56242 DOCKER-USER all -- any any anywhere anywhere > > 124 56242 DOCKER-ISOLATION all -- any any anywhere anywhere > > 0 0 DOCKER all -- any docker0 anywhere anywhere > > 21 2308 DOCKER all -- any any anywhere anywhere > > Chain DOCKER (2 references) > > Chain DOCKER-ISOLATION (1 references) > > Chain DOCKER-USER (1 references) > > > > root@dk1:~# apt-show-versions shorewall docker-ce > > docker-ce:amd64/buster 5:19.03.6~3-0~debian-buster uptodate > > shorewall:all/buster 5.2.3.2-1 uptodate > > > > > > All the other relevant configuration looks like this: > > > > root@dk1:~# cat /etc/shorewall/interfaces > > net ens3 - routefilter,tcpflags > > vpn tun0 > > dock docker0 - physical=docker+,routeback=1 > > dock br - physical=br-+,routeback=1 > > > > root@dk1:~# cat /etc/shorewall/interfaces > > net ens3 - routefilter,tcpflags > > vpn tun0 > > dock docker0 - physical=docker+,routeback=1 > > dock br - physical=br-+,routeback=1 > > > > root@dk1:~# cat /etc/shorewall/policy > > net fws DROP > > fws all ACCEPT > > vpn fws ACCEPT > > dock fws REJECT > > dock all ACCEPT > > all all DROP > > > > A restart of Docker is required after a restart of Shorewall to get the chains back. > > I already described my problem there, but I have not found an solution so far. > > https://gist.github.com/lukasnellen/20761a20286f32efc396e207d986295d#gistcomment-3182557 > > > > So far as I understand got this problem already fixed with Shorewall 5.2.1.1 <https://sourceforge.net/p/shorewall/mailman/message/36453003/>. > > > The code added in 5.2.1.1 expected either the DOCKER-ISOLATION chain or the DOCKER-ISOLATION-STAGE-* chains to exist but not both. Where both exist, only the DOCKER-ISOLATION chain is preserved. The attached patch attempts to correct that logic so that when all three chains exist, they will all be preserved.
cd /usr/share/shorewall/Shorewall patch -p4 < path/to/ISOLATION.patch Please let me know if this solves your problem. Thanks, - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5O0SUACgkQluaz8kI6 TRD7hA//c/CJDtuoy1Zh+cQMiBLC/sKTa7SUf52sC9xprCGHWT4Pbhww98dHc28M Wi02DV7T8WqnrjIV2sGVtLVPU+CS5tBgl67PNNZIMlgT7tNg02hEJ0rNCwgsnnc8 d0fRqcVrk1WjSNekzC3ltEppJ55pAe3HT/wswSN6uvVZxmDM/x0NL0f9pdqgr7pO a7CEM4MfO0SW1Pw9fofSF5SAGt7U0PCjtOSmQsu/KmzXQa6lLb7K+miBOBe19VV4 sDxFKhl7gxlQB2oek8tNxNKtw3qaHluhzez33mvz5hagMSh5yTin1Wr0DRT6lL7+ 1LNBqvN/yfrND+QQEP/vqUhxirlCJc3/wM3HyxrWGIeEtzKu7GfbLraJYucv6KRF UNnxhzyQuQIVyuQ2qV3DS28QeiMAzCe9V8tGP3TcfRTAydxkHWt/K+512EdkJUbL yNjQjvHhfsyKBEIv+nsmKroTSfzd2yWAf6QktrjuYdC/EhMBVLwV/faiTNXore4B 0JFvR4jjrkaqCUkbSX2ks3XN0cIuvZxECUaJDpFt7pJmQeu4iRnguSFV/J11uRhM zKwP1hHm3drR/E0QyY4TdzFFZGSd/66YL7HhPppZQyvQw7jbJmPsYkqJPUrQ/Xy+ IL8CRvv5vh7XqJ7uQ9CDUFXO5tHpeETVEALt7KrrJlimGWHRAwc= =iKua -----END PGP SIGNATURE-----
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 4c65f0f8f..df30d8884 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -8713,6 +8713,9 @@ sub save_docker_rules($) {
qq( ;;),
qq( Two\)),
qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
+ qq( if chain_exists DOCKER_ISOLATION; then),
+ qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
+ qq( fi),
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
qq( ;;),
@@ -9238,7 +9241,7 @@ sub create_netfilter_load( $ ) {
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode;
emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
- } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+ } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode;
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) {
@@ -9454,7 +9457,7 @@ sub create_stop_load( $ ) {
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
- } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+ } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode;
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) {
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index a666af0b0..926326708 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -270,10 +270,10 @@ sub generate_script_2() {
);
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
- emit( 'if chain_exists DOCKER-ISOLATION; then',
- ' g_dockernetwork=One',
- 'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
+ emit( 'if chain_exists DOCKER-ISOLATION-STAGE-1; then',
' g_dockernetwork=Two',
+ 'elif chain_exists DOCKER-ISOLATION; then',
+ ' g_dockernetwork=One',
'fi' );
}
ISOLATION.patch.sig
Description: Binary data
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
