Re: [Shorewall-users] shorewall 5.0.14.1 not creating DOCKER nat chain?

Raphael Bauduin Tue, 21 Feb 2017 02:27:50 -0800

On Thu, Feb 16, 2017 at 12:00 AM, Tom Eastep <teas...@shorewall.net> wrote:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 02/13/2017 11:46 PM, Raphael Bauduin wrote:
> >
> >
> > On Thu, Feb 9, 2017 at 12:47 PM, Raphael Bauduin
> > <rbli...@gmail.com <mailto:rbli...@gmail.com>> wrote:
> >
> >
> >
> > On Wed, Jan 25, 2017 at 9:35 AM, Raphael Bauduin
> > <rbli...@gmail.com <mailto:rbli...@gmail.com>> wrote:
> >
> >
> >
> > On Wed, Jan 25, 2017 at 1:50 AM, Tom Eastep <teas...@shorewall.net
> > <mailto:teas...@shorewall.net>> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
> >
> > On 01/24/2017 03:40 AM, Raphael Bauduin wrote:
> >> Hi,
> >>
> >> I'm running shorewall 5.0.14.1 on centos 7.3.1611, and I have
> >> enabled docker in shorwall.conf:
> >>
> >> # grep DOCKER shorewall.conf DOCKER=Yes
> >>
> >> I have defined a zone for docker:
> >>
> >> # grep dock * interfaces:dock   docker0   bridge policy:dock
> >> all REJECT   info zones:dock   ipv4
> >>
> >> when I start shorewall, there is no DOCKER chain created:
> >>
> >> # iptables -t nat -L | grep -i docker | wc -l 0
> >>
> >> From my undestanding it should have been created. Am I wrong or
> >> am I doing something wrong?
> >>
> >
> > Shorewall only (re-)creates the chain if it exists before the
> > (re-)start or reload.
> >
> >
> > OK, thanks. I got in a situation where the DOCKER chain was absent.
> > I think it was following a shorewall restore at boot when docker
> > was already started. In that case, starting a container failed
> > because docker expected the chain to be present, but it wasn't as
> > the restore from shorewall had removed it.
> >
> >
> > Hi,
> >
> > shorewall restart (or stop and start) seems to loose the DOCKER
> > rules:
> >
> > # shorewall forget # systemctl restart docker # iptables -L -n |
> > grep DOCKER DOCKER-ISOLATION  all  --  0.0.0.0/0 <http://0.0.0.0/0>
> >  0.0.0.0/0 <http://0.0.0.0/0> DOCKER     all  --  0.0.0.0/0
> > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> Chain DOCKER (1
> > references) Chain DOCKER-ISOLATION (1 references) # shorewall
> > restart > /tmp/out
>
> With Docker running, does the DOCKER chain also exist in the nat table?
>

yes:

# systemctl restart docker

# iptables -L -n | grep DOCKER
DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
Chain DOCKER (1 references)
Chain DOCKER-ISOLATION (1 references)

and when I restart shorewall, it's not restored:

# shorewall restart > /tmp/out
   WARNING: The LEGACY_FASTSTART configuration option is no longer
supported /etc/shorewall/shorewall.conf (line 171)
   WARNING: The IPSECFILE configuration option is no longer supported
/etc/shorewall/shorewall.conf (line 274)

# iptables -L -n | grep DOCKER






>
> - -Tom
> - --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJYpN2rAAoJEJbms/JCOk0Q3oIP/0VsbRJHAkjm1JmVZocjNiQj
> xDyeOxrZZj+08JeeoZdhWiQkVcECFVLSRUxGVfgd1leuFQoFwJ2Fz5048IO9SErD
> 31IfC0/UWUAkKsuC3R9t5840bLziV9pEU9oRkDaxEGtGM9uaB6YGKhZJhBLoclhH
> WgHARPWg72TT7xU4U47w0Ghum1tKU+i6h3kHNIqD+PTiswIFEhWi00TdRSQikRvT
> /QeiJLjjJGkPbjeiJefe3QY7qoxviOZXwy+MreOCrr/U6/QBnJTK2/IxwsTXDNra
> jkWxD/4LC28nmftk5nS2axQWnNTap5Z0/F5qOtHF0+RX/fyDxzV3K83i3W22wWUB
> 1BKeJYxcYZksAp9zSSHwP272SuAvnCYgZRSJgBhawOxOMDR29LtUBeXfNwhzusfB
> gJ7GN+rBXNflxUBEJcF4HgzxKuOYZIHwKaXPBp2zrhJLPgtib+C0Fs2r0IT0Oyzy
> vMbdGn41Mkk5fkGDbYm7DohgJ6NY5J+TZWYDWUuEcd9HVFKQOTROtxieAWLr8gyC
> kMP6UijbbiowWfGIx5tj8cE8ibHGFXKcU4De/MreN5kENJ1DIKmFdSsZkVviSLbn
> VKhViFJY9C5tLZeujxrsHeKarKQBqTN/dtDb3Zd0toFT+Za4WrugDbNWsHjiNIJJ
> A9TDQPLtwbd48Zy6Ab7X
> =WVp/
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>



-- 
Web database: http://www.myowndb.com
Free Software Developers Meeting: http://www.fosdem.org

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] shorewall 5.0.14.1 not creating DOCKER nat chain?

Reply via email to