I stand corrected. Things don't "start up fine". They just start up without errors. Connectivity from within the docker containers to the broader network seems to be non-functional. If I revert to the shorewall-less configuration (i.e. disable shorewall, reboot, and then try to connect) everything within Docker works as expected. I'm trying to figure out which rule may be the culprit. Then again it may just be a badly generated ruleset by shorewall... I'll keep hammering and let you know ASAP. Cheers! On Sat, 2020-02-15 at 17:20 -0600, Diego Rivera wrote: > Hi, all! > I have a very odd conundrum. I've recently updated a test server to Ubuntu > Eoan (19.10). That > server runs both docker containers and libvirt VMs. Everything was running > smoothly in 19.04 > (which is now unsupported). However, upon upgrade and full update to 19.10 > shorewall now refuses > to start cleanly on bootup. The error is: > Running /sbin/iptables-restore --wait 60...iptables-restore v1.8.3 (legacy): > Couldn't load target > `LIBVIRT_PRT':No such file or directory > Error occurred at line: 19Try `iptables-restore -h' or 'iptables-restore > --help' for more > information. ERROR: /sbin/iptables-restore --wait 60 Failed. > Turns out that doing a "shorewall restart" fails as well with the same error. > Seems like a pretty > obvious error, doesn't it? Well...not so fast! ☺ > If I do two "shorewall debug restart" (note the use of *debug*) in quick > succession, the first > invocation will fail with the error, but the second one will succeed fully, > and Shorewall will > (apparently) operate properly from there on in. Perhaps the use of "debug" > causes stored bad state > somewhere to be wiped clean or ignored? > On next bootup everything is broken again and I have to log in to manually > fix things by running > "shorewall debug start" TWICE. > Naturally, this isn't a tenable situation. Here's the output (for restart) so > you can see for > yourselves: > <BEGIN OUTPUT>root@testserver:~# uname -aLinux tvserver.rivera.prv > 5.3.0-29-generic #31-Ubuntu > SMP Fri Jan 17 17:27:26 UTC 2020 x86_64 x86_64 x86_64 > GNU/Linuxroot@testserver:~# lsb_release -aNo > LSB modules are available.Distributor ID: UbuntuDescription: Ubuntu > 19.10Release: 19 > .10Codename: eoanroot@testserver:~# shorewall > version5.2.3.2root@testserver:~# shorewall > restartStopping Shorewall....Processing /etc/shorewall/stop ...Processing > /etc/shorewall/tcclear > ...Preparing iptables-restore input...Running /sbin/iptables-restore --wait > 60...iptables-restore > v1.8.3 (legacy): Couldn't load target `LIBVIRT_PRT':No such file or directory > Error occurred at line: 19Try `iptables-restore -h' or 'iptables-restore > --help' for more > information. ERROR: /sbin/iptables-restore --wait 60 Failed.IPv4 Forwarding > EnabledProcessing > /etc/shorewall/stopped ...done.Starting > Shorewall....Initializing...Processing /etc/shorewall/init > ...Processing /etc/shorewall/tcclear ...Setting up Route Filtering...Setting > up Martian > Logging...Setting up Proxy ARP...Preparing iptables-restore input...Running > /sbin/iptables-restore > --wait 60...iptables-restore v1.8.3 (legacy): Couldn't load target > `LIBVIRT_PRT':No such file or > directory > Error occurred at line: 42Try `iptables-restore -h' or 'iptables-restore > --help' for more > information. ERROR: iptables-restore Failed. Input is in > /var/lib/shorewall/.iptables-restore-inputTerminatedroot@testserver:~# > shorewall debug > restartStopping Shorewall....Processing /etc/shorewall/stop ...Processing > /etc/shorewall/tcclear > ...Preparing iptables-restore input...Running debug_restore_input...iptables > v1.8.3 (legacy): > Couldn't load target `LIBVIRT_PRT':No such file or directory > Try `iptables -h' or 'iptables --help' for more information. ERROR: Command > "/sbin/iptables -- > wait -t nat -A POSTROUTING -j LIBVIRT_PRT" FailedTerminatedroot@testserver:~# > shorewall debug > restartStopping Shorewall....Processing /etc/shorewall/stop ...Processing > /etc/shorewall/tcclear > ...Preparing iptables-restore input...Running debug_restore_input...IPv4 > Forwarding > EnabledProcessing /etc/shorewall/stopped ...done.Starting > Shorewall....Initializing...Processing > /etc/shorewall/init ...Processing /etc/shorewall/tcclear ...Setting up Route > Filtering...Setting > up Martian Logging...Setting up Proxy ARP...Preparing iptables-restore > input...Running > debug_restore_input...IPv4 Forwarding EnabledProcessing /etc/shorewall/start > ...Processing > /etc/shorewall/started ...done.root@testserver:~# <END OUTPUT> > I read somewhere that at some point shorewall needed to be re-started after > libvirtd had started > up, but in my setup shorewall always starts AFTER libvirtd (configured as > such via systemd After= > directive). Is there anything else I'm missing? > I tried "shorewall restart -c" to try to force a from-scratch recompilation > of all rules, but that > didn't work either. > Thanks! > -- > > > > Diego Rivera > --
Diego Rivera
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
