From: Tom Eastep <teas...@shorewall.net> Sent: Samstag, 22. Februar 2020 00:20 To: shorewall-users@lists.sourceforge.net Topic: Re: [Shorewall-users] Shorewall removes Docker iptable chain "DOCKER-ISOLATION-STAGE-1" on restart
> Did the firewall script get recompiled? The above output doesn't look like it
> did. Please try:
>
> /sbin/shorewall restart -c
>
> If that still doesn't work then please restart Docker then:
>
> sh -x /usr/lib/shorewall/firewall reload > trace 2>&1
>
> and send me
>
> /usr/lib/shorewall/firewall
> The 'trace' file
Hello Tom,
I tried a couple things and it looks to me as if it preserves everything with
"shorewall restart -c" and with "systemctl reload shorewall" but not with
"systemctl restart shorewall".
root@dk1:~# systemctl restart docker
root@dk1:~# iptables -L -v | grep -i docker
0 0 ~comb3 all -- docker+ any anywhere
anywhere
67 20688 DOCKER-USER all -- any any anywhere
anywhere
67 20688 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere
anywhere
0 0 ACCEPT all -- any docker0 anywhere
anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere
anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere
anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere
anywhere
0 0 DOCKER all -- any br-ac3db22b180b anywhere
anywhere
54 3220 DOCKER all -- any br-61206706fa14 anywhere
anywhere
0 0 ~comb0 all -- docker+ any anywhere
anywhere
1045 187K DOCKER all -- any any anywhere
anywhere
0 0 ACCEPT all -- any docker+ anywhere
anywhere
Chain DOCKER (4 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0
anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b
!br-ac3db22b180b anywhere anywhere
30 5851 DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14
!br-61206706fa14 anywhere anywhere
Chain DOCKER-USER (1 references)
0 0 ACCEPT all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
0 0 DROP all -- any docker0 anywhere
anywhere
root@dk1:~# /sbin/shorewall restart -c
Compiling using Shorewall 5.2.3.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall/policy...
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/conntrack...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Optimizing Ruleset...
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Stopping Shorewall....
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
done.
Starting Shorewall....
Initializing...
Setting up Route Filtering...
Setting up Martian Logging...
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
done.
It looks as if everything is fine after the "shorewall restart -c" command:
root@dk1:~# iptables -L -v | grep -i docker
0 0 ~comb3 all -- docker+ any anywhere
anywhere
132 56820 DOCKER-USER all -- any any anywhere
anywhere
132 56820 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere
anywhere
0 0 DOCKER all -- any docker0 anywhere
anywhere
0 0 ACCEPT all -- any docker0 anywhere
anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 anywhere
anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere
anywhere
0 0 DOCKER all -- any br-ac3db22b180b anywhere
anywhere
4 240 DOCKER all -- any br-61206706fa14 anywhere
anywhere
0 0 ~comb0 all -- docker+ any anywhere
anywhere
33 3880 DOCKER all -- any any anywhere
anywhere
0 0 ACCEPT all -- any docker+ anywhere
anywhere
Chain DOCKER (4 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0
anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b
!br-ac3db22b180b anywhere anywhere
10 2394 DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14
!br-61206706fa14 anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
0 0 DROP all -- any docker0 anywhere
anywhere
Chain DOCKER-USER (1 references)
0 0 ACCEPT all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
If I restart the Shorewall service, then it still loses some things.
root@dk1:~# systemctl restart shorewall
root@dk1:~# iptables -L -v | grep -i docker
0 0 ~comb3 all -- docker+ any anywhere
anywhere
119 38979 DOCKER-USER all -- any any anywhere
anywhere
119 38979 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere
anywhere
0 0 DOCKER all -- any docker0 anywhere
anywhere
0 0 ACCEPT all -- any docker0 anywhere
anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 anywhere
anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere
anywhere
0 0 ~comb0 all -- docker+ any anywhere
anywhere
7 808 DOCKER all -- any any anywhere
anywhere
0 0 ACCEPT all -- any docker+ anywhere
anywhere
Chain DOCKER (2 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
Chain DOCKER-ISOLATION-STAGE-2 (0 references)
Chain DOCKER-USER (1 references)
0 0 ACCEPT all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
root@dk1:~# systemctl restart docker
root@dk1:~# iptables -L -v | grep -i docker
0 0 ~comb3 all -- docker+ any anywhere
anywhere
392 163K DOCKER-USER all -- any any anywhere
anywhere
392 163K DOCKER-ISOLATION-STAGE-1 all -- any any anywhere
anywhere
0 0 ACCEPT all -- any docker0 anywhere
anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere
anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere
anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere
anywhere
0 0 DOCKER all -- any br-ac3db22b180b anywhere
anywhere
15 868 DOCKER all -- any br-61206706fa14 anywhere
anywhere
0 0 ~comb0 all -- docker+ any anywhere
anywhere
554 85844 DOCKER all -- any any anywhere
anywhere
0 0 ACCEPT all -- any docker+ anywhere
anywhere
Chain DOCKER (4 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0
anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b
!br-ac3db22b180b anywhere anywhere
61 16558 DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14
!br-61206706fa14 anywhere anywhere
Chain DOCKER-USER (1 references)
0 0 ACCEPT all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
0 0 DROP all -- any docker0 anywhere
anywhere
It keeps it on a reload.
root@dk1:~# systemctl reload shorewall
root@dk1:~# iptables -L -v | grep -i docker
0 0 ~comb3 all -- docker+ any anywhere
anywhere
59 14486 DOCKER-USER all -- any any anywhere
anywhere
59 14486 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere
anywhere
0 0 DOCKER all -- any docker0 anywhere
anywhere
0 0 ACCEPT all -- any docker0 anywhere
anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 anywhere
anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere
anywhere
0 0 DOCKER all -- any br-ac3db22b180b anywhere
anywhere
4 204 DOCKER all -- any br-61206706fa14 anywhere
anywhere
0 0 ~comb0 all -- docker+ any anywhere
anywhere
17 1888 DOCKER all -- any any anywhere
anywhere
0 0 ACCEPT all -- any docker+ anywhere
anywhere
Chain DOCKER (4 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0
anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b
!br-ac3db22b180b anywhere anywhere
22 5605 DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14
!br-61206706fa14 anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
0 0 DROP all -- any docker0 anywhere
anywhere
Chain DOCKER-USER (1 references)
0 0 ACCEPT all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
root@dk1:~# systemctl restart docker
root@dk1:~# /var/lib/shorewall/firewall reload > trace 2>&1
root@dk1:~# cat trace
Reloading Shorewall....
done.
Everything looks fine after reload.
root@dk1:~# iptables -L -v | grep -i docker
0 0 ~comb3 all -- docker+ any anywhere
anywhere
769 364K DOCKER-USER all -- any any anywhere
anywhere
769 364K DOCKER-ISOLATION-STAGE-1 all -- any any anywhere
anywhere
0 0 DOCKER all -- any docker0 anywhere
anywhere
0 0 ACCEPT all -- any docker0 anywhere
anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 anywhere
anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere
anywhere
0 0 DOCKER all -- any br-ac3db22b180b anywhere
anywhere
24 1424 DOCKER all -- any br-61206706fa14 anywhere
anywhere
0 0 ~comb0 all -- docker+ any anywhere
anywhere
77 10905 DOCKER all -- any any anywhere
anywhere
0 0 ACCEPT all -- any docker+ anywhere
anywhere
Chain DOCKER (4 references)
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0
anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b
!br-ac3db22b180b anywhere anywhere
68 29638 DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14
!br-61206706fa14 anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
0 0 DROP all -- any docker0 anywhere
anywhere
Chain DOCKER-USER (1 references)
0 0 ACCEPT all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
0 0 ~comb2 all -- any docker+ anywhere
anywhere
root@dk1:~# systemctl restart docker
root@dk1:~# iptables-save > iptables.save.after.docker.restart
root@dk1:~# systemctl reload shorewall.service
root@dk1:~# iptables-save > iptables.save.after.shorewall.reload
root@dk1:~# systemctl restart shorewall.service
root@dk1:~# iptables-save > iptables.save.after.shorewall.restart
I am wondering how it comes to this different behavior on restart and reload.
Thank you for your effort,
Michael
iptables.tar.bz2
Description: iptables.tar.bz2
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
