Re: [Shorewall-users] Shorewall removes Docker iptable chain "DOCKER-ISOLATION-STAGE-1" on restart

Tom Eastep Fri, 21 Feb 2020 15:22:14 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2/21/20 11:06 AM, Michael Uray wrote:
> From: Tom Eastep <[email protected]>
>> The code added in 5.2.1.1 expected either the DOCKER-ISOLATION
>> chain or the DOCKER-ISOLATION-STAGE-* chains to exist but not
>> both. Where both exist, only the DOCKER-ISOLATION chain is
>> preserved. The attached patch attempts to correct that logic so
>> that when all three chains exist, they will all be preserved.
>>
>> cd /usr/share/shorewall/Shorewall patch -p4 <
>> path/to/ISOLATION.patch
>
>> Please let me know if this solves your problem.
>
> Hello Tom,
>
> thanks for your quick reply.
>
> It unfortunately did not help to preserve the chains.
>
> root@dk1:/usr/share/shorewall/Shorewall# patch -p4 <
> /root/shorewall_isolation_patch1.patch patching file Chains.pm
> Hunk #1 succeeded at 8706 (offset -7 lines). Hunk #2 succeeded at
> 9234 (offset -7 lines). Hunk #3 succeeded at 9450 (offset -7
> lines). patching file Compiler.pm
>
> # reboot
>
> root@dk1:~# iptables -L -v | grep DOCKER 1637  641K DOCKER-USER all
> --  any    any     anywhere             anywhere 1637  641K
> DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere anywhere
> 0     0 DOCKER     all  --  any    docker0  anywhere anywhere 0
> 0 DOCKER     all  --  any    br-ac3db22b180b anywhere
> anywhere 72  3868 DOCKER     all  --  any br-61206706fa14  anywhere
> anywhere Chain DOCKER (3 references) Chain DOCKER-ISOLATION-STAGE-1
> (1 references) 0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0
> !docker0  anywhere anywhere 0     0 DOCKER-ISOLATION-STAGE-2  all
> --  br-ac3db22b180b !br-ac3db22b180b  anywhere             anywhere
> 298 62019 DOCKER-ISOLATION-STAGE-2  all  --  br-61206706fa14
> !br-61206706fa14 anywhere             anywhere Chain
> DOCKER-ISOLATION-STAGE-2 (3 references) Chain DOCKER-USER (1
> references)
>
> root@dk1:~# systemctl restart shorewall
>
> root@dk1:~# systemctl status shorewall ● shorewall.service -
> Shorewall IPv4 firewall Loaded: loaded
> (/lib/systemd/system/shorewall.service; enabled; vendor preset:
> enabled) Active: active (exited) since Fri 2020-02-21 09:06:53
> CET; 23s ago Process: 4752 ExecStart=/sbin/shorewall $OPTIONS
> start $STARTOPTIONS (code=exited, status=0/SUCCESS) Main PID: 4752
> (code=exited, status=0/SUCCESS)
>
> Feb 21 09:06:52 dk1 systemd[1]: Starting Shorewall IPv4 firewall...
> Feb 21 09:06:52 dk1 shorewall[4752]: Starting Shorewall.... Feb 21
> 09:06:52 dk1 shorewall[4752]: Initializing... Feb 21 09:06:52 dk1
> shorewall[4752]: Setting up Route Filtering... Feb 21 09:06:52 dk1
> shorewall[4752]: Setting up Martian Logging... Feb 21 09:06:52 dk1
> shorewall[4752]: Preparing iptables-restore input... Feb 21
> 09:06:52 dk1 shorewall[4752]: Running /sbin/iptables-restore --wait
> 60... Feb 21 09:06:53 dk1 shorewall[4752]: done. Feb 21 09:06:53
> dk1 systemd[1]: Started Shorewall IPv4 firewall.
>
> root@dk1:~# iptables -L -v | grep DOCKER 650  253K DOCKER-USER
> all --  any    any     anywhere             anywhere 650  253K
> DOCKER-ISOLATION  all  --  any    any     anywhere anywhere 0     0
> DOCKER     all  --  any    docker0  anywhere anywhere 231 44164
> DOCKER     all  --  any    any     anywhere anywhere Chain DOCKER
> (2 references) Chain DOCKER-ISOLATION (1 references) Chain
> DOCKER-USER (1 references)
>
> Please find attached the patched files as well as my current
> iptables after a reboot.
>


Did the firewall script get recompiled? The above output doesn't look
like it did. Please try:

        /sbin/shorewall restart -c

If that still doesn't work then please restart Docker then:

        sh -x /usr/lib/shorewall/firewall reload > trace 2>&1

and send me

        /usr/lib/shorewall/firewall
        The 'trace' file

Thanks,
- -Tom
- -- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5QZacACgkQluaz8kI6
TRBDHw//Ys2Vd/u0Eys5djydvpU6Ygn7f2z6PQslRTVQ785WcTH3ei+LH1YvBJ0R
1whYrSpgoXATLbzpvrYJChF5y3VRiPjVwciNrJDetrOARl+4iJWQWW+fcXM+Ar5c
rd1LQafVG57UNSRz7o0Ld8VpXZhBx+BheClvpIePCJTd+WirOCo4sxRc2gDqd7Bb
Tl55oUySSc6jeQfqVbuHESVk+9t3kc1encu62zbhGpvKrHiJuuRUfJrcqWRQfarw
pDLaLkMGTdpIx0oL2wN8Y09QFS70Zg1Z50aMtcbAK/+JWTRw6dzZcpzCQj4/UVAP
4Q3GUU18VVwSN5Sl3Eq1m/qo9JZt7U8IdzMwCf/4JiiuiaNEHmXF1F0h801xfiTn
ls4xx35u2bCdJO6NNex8S7iGOR8efD+n/P60VVAedes1RJhMqiqy/YVuvJ6jpFd8
1gSIgzPt9vMTroik2RqCbGpLbQWmW7MK6vJNj3ZA8h5kVzJT5a4b1Gi8lpYxFmGt
2kgXgVdYYETZji0I4DlpmOI+GbD7cAxHAsnqQRuRhL3mHU4trKzZaEPHxNp1wW7s
1iajVPAEYiCGqm+xu/vIpfFnzNDfr2Mo5FLjNLs/yxfMvYXWazoXcWVEEv5w93YM
rQPknOo35lewpVJmCEAz05ukVZtIvTOc7lyoqADvY226wzY1T6s=
=Ty4S
-----END PGP SIGNATURE-----


_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall removes Docker iptable chain "DOCKER-ISOLATION-STAGE-1" on restart

Reply via email to