[Shorewall-users] Shorewall removes Docker iptable chain "DOCKER-ISOLATION-STAGE-1" on restart

Thu, 20 Feb 2020 01:37:44 -0800 

Hi guys,

Shorewall removes for some reason Docker iptable chains like 
"DOCKER-ISOLATION-STAGE-1" on a Shorewall restart.

root@dk1:~# cat /etc/shorewall/shorewall.conf | grep DOCKER
DOCKER=Yes

root@dk1:~# iptables -L -v | grep DOCKER
5427 2371K DOCKER-USER all -- any any anywhere anywhere
5427 2371K DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 DOCKER all -- any docker0 anywhere anywhere
177 10552 DOCKER all -- any br-61206706fa14 anywhere anywhere
1615 282K DOCKER all -- any any anywhere anywhere
Chain DOCKER (3 references)
Chain DOCKER-USER (1 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
432 126K DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14 !br-61206706fa14 
anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)

systemctl restart shorewall.service

root@dk1:~# iptables -L -v | grep DOCKER
124 56242 DOCKER-USER all -- any any anywhere anywhere
124 56242 DOCKER-ISOLATION all -- any any anywhere anywhere
0 0 DOCKER all -- any docker0 anywhere anywhere
21 2308 DOCKER all -- any any anywhere anywhere
Chain DOCKER (2 references)
Chain DOCKER-ISOLATION (1 references)
Chain DOCKER-USER (1 references)

root@dk1:~# apt-show-versions shorewall docker-ce
docker-ce:amd64/buster 5:19.03.6~3-0~debian-buster uptodate
shorewall:all/buster 5.2.3.2-1 uptodate


All the other relevant configuration looks like this:

root@dk1:~# cat /etc/shorewall/interfaces
net ens3 - routefilter,tcpflags
vpn tun0
dock docker0 - physical=docker+,routeback=1
dock br - physical=br-+,routeback=1

root@dk1:~# cat /etc/shorewall/interfaces
net ens3 - routefilter,tcpflags
vpn tun0
dock docker0 - physical=docker+,routeback=1
dock br - physical=br-+,routeback=1

root@dk1:~# cat /etc/shorewall/policy
net fws DROP
fws all ACCEPT
vpn fws ACCEPT
dock fws REJECT
dock all ACCEPT
all all DROP

A restart of Docker is required after a restart of Shorewall to get the chains 
back.
I already described my problem there, but I have not found an solution so far.
https://gist.github.com/lukasnellen/20761a20286f32efc396e207d986295d#gistcomment-3182557

So far as I understand got this problem already fixed with Shorewall 
5.2.1.1<https://sourceforge.net/p/shorewall/mailman/message/36453003/>.

Any idea what could be wrong?

Thanks
Michael


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to