Ok sorry for the noise. I have a better feel for why running things twice with "debug" enabled appeared to be working. Turns out that the first invocation with "debug" fails as expected, but also fails to restore the rules that were originally present when shorewall was invoked (i.e. the "bad/incompatible" docker/libvirt rules). Thus, when run the 2nd time, things apparently succeed because these rules aren't present, and thus there's nothing there for shorewall to trip over and explode. So the bug seems to be the fact that using debug clobbers and fails to restore the previous rules. That doesn't solve my problem, though. I'm still perusing through Google and have yet to find a similar situation. It seems to me that some of the libvirt-generated rules should be given treatment similar to the docker rules. I'm not sure how this was done previously other than the fact that everything worked as intended and I never bothered to audit what was being done. Any insights or suggestions will be greatly appreciated. Cheers! On Sat, 2020-02-15 at 18:08 -0600, Diego Rivera wrote: > I stand corrected. Things don't "start up fine". They just start up without > errors. Connectivity > from within the docker containers to the broader network seems to be > non-functional. If I revert > to the shorewall-less configuration (i.e. disable shorewall, reboot, and then > try to connect) > everything within Docker works as expected. I'm trying to figure out which > rule may be the > culprit. Then again it may just be a badly generated ruleset by shorewall... > I'll keep hammering and let you know ASAP. > Cheers!-- > > > > Diego Rivera > > On Sat, 2020-02-15 at 17:20 -0600, Diego Rivera wrote: > > Hi, all! > > I have a very odd conundrum. I've recently updated a test server to Ubuntu > > Eoan (19.10). That > > server runs both docker containers and libvirt VMs. Everything was running > > smoothly in 19.04 > > (which is now unsupported). However, upon upgrade and full update to 19.10 > > shorewall now refuses > > to start cleanly on bootup. The error is: > > Running /sbin/iptables-restore --wait 60...iptables-restore v1.8.3 > > (legacy): Couldn't load > > target `LIBVIRT_PRT':No such file or directory > > Error occurred at line: 19Try `iptables-restore -h' or 'iptables-restore > > --help' for more > > information. ERROR: /sbin/iptables-restore --wait 60 Failed. > > Turns out that doing a "shorewall restart" fails as well with the same > > error. Seems like a > > pretty obvious error, doesn't it? Well...not so fast! ☺ > > If I do two "shorewall debug restart" (note the use of *debug*) in quick > > succession, the first > > invocation will fail with the error, but the second one will succeed fully, > > and Shorewall will > > (apparently) operate properly from there on in. Perhaps the use of "debug" > > causes stored bad > > state somewhere to be wiped clean or ignored? > > On next bootup everything is broken again and I have to log in to manually > > fix things by running > > "shorewall debug start" TWICE. > > Naturally, this isn't a tenable situation. Here's the output (for restart) > > so you can see for > > yourselves: > > <BEGIN OUTPUT>root@testserver:~# uname -aLinux tvserver.rivera.prv > > 5.3.0-29-generic #31-Ubuntu > > SMP Fri Jan 17 17:27:26 UTC 2020 x86_64 x86_64 x86_64 > > GNU/Linuxroot@testserver:~# lsb_release > > -aNo LSB modules are available.Distributor ID: UbuntuDescription: > > Ubuntu 19.10Release: > > 19.10Codename: eoanroot@testserver:~# shorewall > > version5.2.3.2root@testserver:~# shorewall > > restartStopping Shorewall....Processing /etc/shorewall/stop ...Processing > > /etc/shorewall/tcclear > > ...Preparing iptables-restore input...Running /sbin/iptables-restore --wait > > 60...iptables- > > restore v1.8.3 (legacy): Couldn't load target `LIBVIRT_PRT':No such file or > > directory > > Error occurred at line: 19Try `iptables-restore -h' or 'iptables-restore > > --help' for more > > information. ERROR: /sbin/iptables-restore --wait 60 Failed.IPv4 > > Forwarding EnabledProcessing > > /etc/shorewall/stopped ...done.Starting > > Shorewall....Initializing...Processing > > /etc/shorewall/init ...Processing /etc/shorewall/tcclear ...Setting up > > Route Filtering...Setting > > up Martian Logging...Setting up Proxy ARP...Preparing iptables-restore > > input...Running > > /sbin/iptables-restore --wait 60...iptables-restore v1.8.3 (legacy): > > Couldn't load target > > `LIBVIRT_PRT':No such file or directory > > Error occurred at line: 42Try `iptables-restore -h' or 'iptables-restore > > --help' for more > > information. ERROR: iptables-restore Failed. Input is in > > /var/lib/shorewall/.iptables-restore-inputTerminatedroot@testserver:~# > > shorewall debug > > restartStopping Shorewall....Processing /etc/shorewall/stop ...Processing > > /etc/shorewall/tcclear > > ...Preparing iptables-restore input...Running > > debug_restore_input...iptables v1.8.3 (legacy): > > Couldn't load target `LIBVIRT_PRT':No such file or directory > > Try `iptables -h' or 'iptables --help' for more information. ERROR: > > Command "/sbin/iptables -- > > wait -t nat -A POSTROUTING -j LIBVIRT_PRT" > > FailedTerminatedroot@testserver:~# shorewall debug > > restartStopping Shorewall....Processing /etc/shorewall/stop ...Processing > > /etc/shorewall/tcclear > > ...Preparing iptables-restore input...Running debug_restore_input...IPv4 > > Forwarding > > EnabledProcessing /etc/shorewall/stopped ...done.Starting > > Shorewall....Initializing...Processing > > /etc/shorewall/init ...Processing /etc/shorewall/tcclear ...Setting up > > Route Filtering...Setting > > up Martian Logging...Setting up Proxy ARP...Preparing iptables-restore > > input...Running > > debug_restore_input...IPv4 Forwarding EnabledProcessing > > /etc/shorewall/start ...Processing > > /etc/shorewall/started ...done.root@testserver:~# <END OUTPUT> > > I read somewhere that at some point shorewall needed to be re-started after > > libvirtd had started > > up, but in my setup shorewall always starts AFTER libvirtd (configured as > > such via systemd > > After= directive). Is there anything else I'm missing? > > I tried "shorewall restart -c" to try to force a from-scratch recompilation > > of all rules, but > > that didn't work either. > > Thanks! > > -- > > > > > > > > Diego Rivera > > --
Diego Rivera
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
