From: Tom Eastep <[email protected]> > The code added in 5.2.1.1 expected either the DOCKER-ISOLATION chain or the > DOCKER-ISOLATION-STAGE-* chains to exist but not both. Where both exist, only > the DOCKER-ISOLATION chain is preserved. The attached patch attempts to > correct that logic so that when all three chains exist, they will all be > preserved. > > cd /usr/share/shorewall/Shorewall > patch -p4 < path/to/ISOLATION.patch
> Please let me know if this solves your problem.
Hello Tom,
thanks for your quick reply.
It unfortunately did not help to preserve the chains.
root@dk1:/usr/share/shorewall/Shorewall# patch -p4 <
/root/shorewall_isolation_patch1.patch
patching file Chains.pm
Hunk #1 succeeded at 8706 (offset -7 lines).
Hunk #2 succeeded at 9234 (offset -7 lines).
Hunk #3 succeeded at 9450 (offset -7 lines).
patching file Compiler.pm
# reboot
root@dk1:~# iptables -L -v | grep DOCKER
1637 641K DOCKER-USER all -- any any anywhere
anywhere
1637 641K DOCKER-ISOLATION-STAGE-1 all -- any any anywhere
anywhere
0 0 DOCKER all -- any docker0 anywhere
anywhere
0 0 DOCKER all -- any br-ac3db22b180b anywhere
anywhere
72 3868 DOCKER all -- any br-61206706fa14 anywhere
anywhere
Chain DOCKER (3 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0
anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b
!br-ac3db22b180b anywhere anywhere
298 62019 DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14
!br-61206706fa14 anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
Chain DOCKER-USER (1 references)
root@dk1:~# systemctl restart shorewall
root@dk1:~# systemctl status shorewall
● shorewall.service - Shorewall IPv4 firewall
Loaded: loaded (/lib/systemd/system/shorewall.service; enabled;
vendor preset: enabled)
Active: active (exited) since Fri 2020-02-21 09:06:53 CET; 23s ago
Process: 4752 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
(code=exited, status=0/SUCCESS)
Main PID: 4752 (code=exited, status=0/SUCCESS)
Feb 21 09:06:52 dk1 systemd[1]: Starting Shorewall IPv4 firewall...
Feb 21 09:06:52 dk1 shorewall[4752]: Starting Shorewall....
Feb 21 09:06:52 dk1 shorewall[4752]: Initializing...
Feb 21 09:06:52 dk1 shorewall[4752]: Setting up Route Filtering...
Feb 21 09:06:52 dk1 shorewall[4752]: Setting up Martian Logging...
Feb 21 09:06:52 dk1 shorewall[4752]: Preparing iptables-restore input...
Feb 21 09:06:52 dk1 shorewall[4752]: Running /sbin/iptables-restore
--wait 60...
Feb 21 09:06:53 dk1 shorewall[4752]: done.
Feb 21 09:06:53 dk1 systemd[1]: Started Shorewall IPv4 firewall.
root@dk1:~# iptables -L -v | grep DOCKER
650 253K DOCKER-USER all -- any any anywhere
anywhere
650 253K DOCKER-ISOLATION all -- any any anywhere
anywhere
0 0 DOCKER all -- any docker0 anywhere
anywhere
231 44164 DOCKER all -- any any anywhere
anywhere
Chain DOCKER (2 references)
Chain DOCKER-ISOLATION (1 references)
Chain DOCKER-USER (1 references)
Please find attached the patched files as well as my current iptables after a
reboot.
Thanks,
Michael
shorewall.tar.bz2
Description: shorewall.tar.bz2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
