On 10/26/18 10:23 AM, Anthony Rogers wrote: > Shorewall and Docker - possible change request > > Current version of Shorewall => 5.1.11.1 > Docker version => 18.03.0-ce (works) > Docker version => 18.06.1-ce (does not work) > > Problem statement (you may already be aware): > > I have been successfully using Shorewall with Docker in a development > environment with the above earlier version. > > On provisioning a new server with the same version of Shorewall but the > latest version of Docker, it no longer works. > > On upgrading to a later eg. 18.06 version of Docker, Shorewall no longer > manages the firewall correctly because *docker* seems to have changed > how it works. > > From their change log: "Improve scalability of bridge network isolation > rules docker/libnetwork#2117." > > Diff available here: > https://codecov.io/gh/docker/libnetwork/pull/2117/diff?src=pr&el=tree#diff-ZHJpdmVycy9icmlkZ2Uvc2V0dXBfaXBfdGFibGVzLmdv > > > They seem to have deprecated chain "DOCKER-ISOLATION", and now use > "DOCKER-ISOLATION-STAGE-1" and "DOCKER-ISOLATION-STAGE-2" instead. > > I suspect that Shorewall expects the former and wipes out the latter. > This prevents new containers from being spun-up, as their networks > cannot be created. > > This isn't exactly Shorewall's fault, but I suspect that a lot of people > use its nice plug and play features with 'Docker=Yes'. > > Would it be straight forward to patch for this? >
Attached is a patch that applies with offsets to 5.1.11.1. . /usr/share/shorewall/shorewallrc . cd $PERLDIR/Shorewall/ . patch -p4 < path/to/DOCKER-ISOLATION.patch Please let me know how it works. Thanks, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 4eeb49b63..af262c0bb 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3340,10 +3340,17 @@ sub initialize_chain_table($) {
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
$chainref = new_standard_chain( 'DOCKER-INGRESS' );
+ set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
- add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
- add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
+ $chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' );
+ set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' );
+ $chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-2' );
+ set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 >&3' );
}
my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -8620,7 +8627,19 @@ sub save_docker_rules($) {
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
- qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
+ qq(),
+ qq( case "\$g_dockernetwork" in),
+ qq( One\)),
+ qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
+ qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
+ qq( ;;),
+ qq( Two\)),
+ qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
+ qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
+ qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
+ qq( ;;),
+ qq( esac),
+ qq(),
);
if ( known_interface( 'docker0' ) ) {
@@ -8636,7 +8655,7 @@ sub save_docker_rules($) {
q( rm -f ${VARDIR}/.nat_POSTROUTING),
q( rm -f ${VARDIR}/.filter_DOCKER),
q( rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
- q( rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
+ q( rm -f ${VARDIR}/.filter_DOCKER-ISOLATION*),
q( rm -f ${VARDIR}/.filter_FORWARD),
q(fi)
)
@@ -9140,7 +9159,11 @@ sub create_netfilter_load( $ ) {
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode;
- emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+ emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" > &3' );
+ enter_cat_mode;
+ } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+ enter_cmd_mode;
+ emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-INGRESS' ) {
enter_cmd_mode;
@@ -9247,9 +9270,13 @@ sub preview_netfilter_load() {
print "\n";
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode1 unless $mode == CMD_MODE;
- print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+ print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
print "\n";
enter_cat_mode1;
+ } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+ enter_cmd_mode1 unless $mode == CMD_MODE;
+ emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+ enter_cat_mode1;
} elsif ( $name eq 'DOCKER-INGRESS' ) {
enter_cmd_mode1 unless $mode == CMD_MODE;
print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@@ -9342,6 +9369,10 @@ sub create_stop_load( $ ) {
enter_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
+ } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+ enter_cmd_mode;
+ emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+ enter_cat_mode;
} elsif ( $name eq 'DOCKER-INGRESS' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index b47319fc7..29af2374c 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -269,7 +269,11 @@ sub generate_script_2() {
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
);
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
- emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+ emit( 'if chain_exists DOCKER-ISOLATION; then',
+ ' g_dockernetwork=One',
+ 'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
+ ' g_dockernetwork=Two',
+ 'fi' );
emit( '' );
}
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 8544aa0a0..37fb3c84b 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -668,7 +668,16 @@ sub create_docker_rules() {
my $chainref = $filter_table->{FORWARD};
add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
- add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
+ add_commands( $chainref ,
+ '',
+ 'case "$g_dockernetwork" in',
+ ' One)',
+ ' echo "-A FORWARD -j DOCKER-ISOLATION"',
+ ' ;;',
+ ' Two)',
+ ' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1"',
+ ' ;;',
+ 'esac' );
if ( my $dockerref = known_interface('docker0') ) {
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
