Thanks, Tom! That seems to have done the trick! Hopefully this will make it into the 5.2(.3?) tree for backport. Cheers!
On Sun, 2020-02-16 at 09:05 -0800, Tom Eastep wrote: > On 2/16/20 7:46 AM, Diego Rivera wrote: > > That's exactly the issue. It seems that on the update to Ubuntu19.10, the > > version of libvirt > > also got bumped up and this chainseems to be something new created by it. > > What seems to be > > happeningis that Shorewall is ignoring all the libvirt-created chains > > onbootup, except this one. > > So it removes the chain, but doesn'tremove the reference to it. Thus, when > > trying to do the > > restoreportion of the new rule creation, this chain is referenced > > eventhough it no longer exists > > b/c shorewall itself clobbered it. > > What is actually happening is that Shorewall is saving and attemptingto > restore the rules that > reference the chain but not the chainitself. Shorewall always totally > replaces any existing > ruleset when itstarts, restarts or reloads; when Docker support is enabled, > itselectively > saves/restores what it believes to be Docker-generatedchains and rules. > > Not sure if this is by design, an oversight, or a bug. But ifshorewall > > clobbers existing chains > > then it should make sure to notreference them further during rule > > construction, or vice-versa > > (ifit's going to reference them, it should make sure they'represerved!). > > When I wrote the code to save/restore Docker-generated rules, Iassumed that > all rules in the nat > POSTROUTING chain that were notassociated with the SHOREWALL chain were > generated by Docker and > henceneeded to be preserved. > The attached patch will exclude the jump to LIBVIRT_PRT. > . /usr/share/shorewall/shorewallrc patch > $PERLLIBDIR/Shorewall/Chains.pm < > LIBVIRT.patch > -Tom_______________________________________________Shorewall-users mailing > listshorewall-us...@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Diego Rivera
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
