[Shorewall-users] Fixed Shorewall to work with latest Docker iptables chains

Andy Hall Tue, 28 Apr 2026 02:38:06 -0700

When switching from Docker v26 to v29 Shorewall no longer handled the new
iptables chains so we fixed Misc.pm / Compiler.pm / Chains.pm to handle
these...


# diff /usr/share/perl5/vendor_perl/Shorewall/Misc.pm
/usr/share/perl5/vendor_perl/Shorewall/Misc.pm.orig
689,692d688
<     add_commands( $chainref, '[ -n "$g_dockerbridge" ]   && echo "-A
DOCKER-FORWARD -j DOCKER-BRIDGE" >&3' );
<     add_commands( $chainref, '[ -n "$g_dockerct" ]       && echo "-A
DOCKER-FORWARD -j DOCKER-CT" >&3' );
<     add_commands( $chainref, '[ -n "$g_dockerforward" ]  && echo "-A
FORWARD -j DOCKER-FORWARD" >&3' );
<     add_commands( $chainref, '[ -n "$g_dockerinternal" ] && echo "-A
DOCKER-FORWARD -j DOCKER-INTERNAL" >&3' );

# diff /usr/share/perl5/vendor_perl/Shorewall/Compiler.pm
/usr/share/perl5/vendor_perl/Shorewall/Compiler.pm.orig
273,276d272
<       emit( 'chain_exists DOCKER-BRIDGE && g_dockerbridge=Yes' );
<       emit( 'chain_exists DOCKER-CT && g_dockerct=Yes' );
<       emit( 'chain_exists DOCKER-FORWARD && g_dockerforward=Yes' );
<       emit( 'chain_exists DOCKER-INTERNAL && g_dockerinternal=Yes' );

# diff /usr/share/perl5/vendor_perl/Shorewall/Chains.pm
/usr/share/perl5/vendor_perl/Shorewall/Chains.pm.orig
3402,3413d3401
<       $chainref = new_standard_chain( 'DOCKER-BRIDGE'      );
<       set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
<       add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-BRIDGE ] &&
cat ${VARDIR}/.filter_DOCKER-BRIDGE >&3' );
<       $chainref = new_standard_chain( 'DOCKER-CT'      );
<       set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
<       add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-CT ] && cat
${VARDIR}/.filter_DOCKER-CT >&3' );
<       $chainref = new_standard_chain( 'DOCKER-FORWARD'      );
<       set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
<       add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-FORWARD ]
&& cat ${VARDIR}/.filter_DOCKER-FORWARD >&3' );
<       $chainref = new_standard_chain( 'DOCKER-INTERNAL'      );
<       set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
<       add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INTERNAL ]
&& cat ${VARDIR}/.filter_DOCKER-INTERNAL >&3' );
8784,8787d8771
<         qq(    [ -n "\$g_dockerbridge"   ] && $tool -t filter -S
DOCKER-BRIDGE    | tail -n +2 > \${VARDIR}/.filter_DOCKER-BRIDGE),
<         qq(    [ -n "\$g_dockerct"       ] && $tool -t filter -S
DOCKER-CT        | tail -n +2 > \${VARDIR}/.filter_DOCKER-CT),
<         qq(    [ -n "\$g_dockerforward"  ] && $tool -t filter -S
DOCKER-FORWARD   | tail -n +2 > \${VARDIR}/.filter_DOCKER-FORWARD),
<         qq(    [ -n "\$g_dockerinternal" ] && $tool -t filter -S
DOCKER-INTERNAL  | tail -n +2 > \${VARDIR}/.filter_DOCKER-INTERNAL),
8811,8814d8794
<         q(    rm -f ${VARDIR}/.filter_DOCKER-BRIDGE),
<         q(    rm -f ${VARDIR}/.filter_DOCKER-CT),
<         q(    rm -f ${VARDIR}/.filter_DOCKER-FORWARD),
<         q(    rm -f ${VARDIR}/.filter_DOCKER-INTERNAL),
9331,9342d9310
<                   } elsif ( $name eq 'DOCKER-BRIDGE' ) {
<                       ensure_cmd_mode;
<                       emit( '[ -n "$g_dockerbridge" ] && echo
":DOCKER-BRIDGE - [0:0]" >&3' );
<                   } elsif ( $name eq 'DOCKER-CT' ) {
<                       ensure_cmd_mode;
<                       emit( '[ -n "$g_dockerct" ] && echo ":DOCKER-CT -
[0:0]" >&3' );
<                   } elsif ( $name eq 'DOCKER-FORWARD' ) {
<                       ensure_cmd_mode;
<                       emit( '[ -n "$g_dockerforward" ] && echo
":DOCKER-FORWARD - [0:0]" >&3' );
<                   } elsif ( $name eq 'DOCKER-INTERNAL' ) {
<                       ensure_cmd_mode;
<                       emit( '[ -n "$g_dockerinternal" ] && echo
":DOCKER-INTERNAL - [0:0]" >&3' );
9462,9477d9429
<                   } elsif ( $name eq 'DOCKER-BRIDGE' ) {
<                       ensure_cmd_mode1;
<                       print( '[ -n "$g_dockerbridge" ] && echo
":DOCKER-BRIDGE - [0:0]" >&3' );
<                       print "\n";
<                   } elsif ( $name eq 'DOCKER-CT' ) {
<                       ensure_cmd_mode1;
<                       print( '[ -n "$g_dockerct" ] && echo ":DOCKER-CT -
[0:0]" >&3' );
<                       print "\n";
<                   } elsif ( $name eq 'DOCKER-FORWARD' ) {
<                       ensure_cmd_mode1;
<                       print( '[ -n "$g_dockerforward" ] && echo
":DOCKER-FORWARD - [0:0]" >&3' );
<                       print "\n";
<                   } elsif ( $name eq 'DOCKER-INTERNAL' ) {
<                       ensure_cmd_mode1;
<                       print( '[ -n "$g_dockerinternal" ] && echo
":DOCKER-INTERNAL - [0:0]" >&3' );
<                       print "\n";
9575,9586d9526
<                   } elsif ( $name eq 'DOCKER-BRIDGE' ) {
<                       ensure_cmd_mode;
<                       emit( '[ -n "$g_dockerbridge" ] && echo
":DOCKER-BRIDGE - [0:0]" >&3' );
<                   } elsif ( $name eq 'DOCKER-CT' ) {
<                       ensure_cmd_mode;
<                       emit( '[ -n "$g_dockerct" ] && echo ":DOCKER-CT -
[0:0]" >&3' );
<                   } elsif ( $name eq 'DOCKER-FORWARD' ) {
<                       ensure_cmd_mode;
<                       emit( '[ -n "$g_dockerforward" ] && echo
":DOCKER-FORWARD - [0:0]" >&3' );
<                   } elsif ( $name eq 'DOCKER-INTERNAL' ) {
<                       ensure_cmd_mode;
<                       emit( '[ -n "$g_dockerinternal" ] && echo
":DOCKER-INTERNAL - [0:0]" >&3' );

Hope this helps others...thanks.

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Fixed Shorewall to work with latest Docker iptables chains

Reply via email to