-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/24/20 4:16 AM, Michael Uray wrote:
> I tried a couple things and it looks to me as if it preserves
> everything with "shorewall restart -c" and with "systemctl reload
> shorewall" but not with "systemctl restart shorewall".
>
>
> root@dk1:~# systemctl restart docker
>
>
> root@dk1:~# iptables -L -v | grep -i docker 0 0 ~comb3 all
> -- docker+ any anywhere anywhere 67 20688
> DOCKER-USER all -- any any anywhere anywhere
> 67 20688 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere
> anywhere 0 0 ACCEPT all -- any docker0 anywhere
> anywhere ctstate RELATED,ESTABLISHED 0 0 DOCKER
> all -- any docker0 anywhere anywhere 0 0
> ACCEPT all -- docker0 !docker0 anywhere
> anywhere 0 0 ACCEPT all -- docker0 docker0 anywhere
> anywhere 0 0 DOCKER all -- any br-ac3db22b180b
> anywhere anywhere 54 3220 DOCKER all -- any
> br-61206706fa14 anywhere anywhere 0 0 ~comb0
> all -- docker+ any anywhere anywhere 1045 187K
> DOCKER all -- any any anywhere anywhere 0
> 0 ACCEPT all -- any docker+ anywhere
> anywhere Chain DOCKER (4 references) Chain DOCKER-ISOLATION-STAGE-1
> (1 references) 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0
> !docker0 anywhere anywhere 0 0
> DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b !br-ac3db22b180b
> anywhere anywhere 30 5851 DOCKER-ISOLATION-STAGE-2
> all -- br-61206706fa14 !br-61206706fa14 anywhere
> anywhere Chain DOCKER-USER (1 references) 0 0 ACCEPT all
> -- any docker+ anywhere anywhere 0 0 ~comb2
> all -- any docker+ anywhere anywhere 0 0
> ~comb2 all -- any docker+ anywhere anywhere
> Chain DOCKER-ISOLATION-STAGE-2 (3 references) 0 0 DROP
> all -- any docker0 anywhere anywhere
>
>
> root@dk1:~# /sbin/shorewall restart -c Compiling using Shorewall
> 5.2.3.2... Processing /etc/shorewall/params ... Processing
> /etc/shorewall/shorewall.conf... Loading Modules... Compiling
> /etc/shorewall/zones... Compiling /etc/shorewall/interfaces...
> Determining Hosts in Zones... Locating Action Files... Compiling
> /etc/shorewall/policy... Compiling TCP Flags filtering... Compiling
> Kernel Route Filtering... Compiling Martian Logging... Compiling
> MAC Filtration -- Phase 1... Compiling /etc/shorewall/rules...
> Compiling /etc/shorewall/conntrack... Compiling MAC Filtration --
> Phase 2... Applying Policies... Generating Rule Matrix...
> Optimizing Ruleset... Creating iptables-restore input... Shorewall
> configuration compiled to /var/lib/shorewall/.restart Stopping
> Shorewall.... Preparing iptables-restore input... Running
> /sbin/iptables-restore --wait 60... done. Starting Shorewall....
> Initializing... Setting up Route Filtering... Setting up Martian
> Logging... Preparing iptables-restore input... Running
> /sbin/iptables-restore --wait 60... done.
>
>
> It looks as if everything is fine after the "shorewall restart -c"
> command:
>
> root@dk1:~# iptables -L -v | grep -i docker 0 0 ~comb3 all
> -- docker+ any anywhere anywhere 132 56820
> DOCKER-USER all -- any any anywhere anywhere
> 132 56820 DOCKER-ISOLATION-STAGE-1 all -- any any
> anywhere anywhere 0 0 DOCKER all -- any
> docker0 anywhere anywhere 0 0 ACCEPT all --
> any docker0 anywhere anywhere ctstate
> RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 !docker0
> anywhere anywhere 0 0 ACCEPT all -- docker0
> docker0 anywhere anywhere 0 0 DOCKER all --
> any br-ac3db22b180b anywhere anywhere 4 240
> DOCKER all -- any br-61206706fa14 anywhere
> anywhere 0 0 ~comb0 all -- docker+ any anywhere
> anywhere 33 3880 DOCKER all -- any any anywhere
> anywhere 0 0 ACCEPT all -- any docker+ anywhere
> anywhere Chain DOCKER (4 references) Chain DOCKER-ISOLATION-STAGE-1
> (1 references) 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0
> !docker0 anywhere anywhere 0 0
> DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b !br-ac3db22b180b
> anywhere anywhere 10 2394 DOCKER-ISOLATION-STAGE-2
> all -- br-61206706fa14 !br-61206706fa14 anywhere
> anywhere Chain DOCKER-ISOLATION-STAGE-2 (3 references) 0 0 DROP
> all -- any docker0 anywhere anywhere Chain
> DOCKER-USER (1 references) 0 0 ACCEPT all -- any
> docker+ anywhere anywhere 0 0 ~comb2 all --
> any docker+ anywhere anywhere 0 0 ~comb2
> all -- any docker+ anywhere anywhere
>
>
> If I restart the Shorewall service, then it still loses some
> things.
>
> root@dk1:~# systemctl restart shorewall
>
>
> root@dk1:~# iptables -L -v | grep -i docker 0 0 ~comb3 all
> -- docker+ any anywhere anywhere 119 38979
> DOCKER-USER all -- any any anywhere anywhere
> 119 38979 DOCKER-ISOLATION-STAGE-1 all -- any any
> anywhere anywhere 0 0 DOCKER all -- any
> docker0 anywhere anywhere 0 0 ACCEPT all --
> any docker0 anywhere anywhere ctstate
> RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 !docker0
> anywhere anywhere 0 0 ACCEPT all -- docker0
> docker0 anywhere anywhere 0 0 ~comb0 all --
> docker+ any anywhere anywhere 7 808 DOCKER
> all -- any any anywhere anywhere 0 0
> ACCEPT all -- any docker+ anywhere anywhere
> Chain DOCKER (2 references) Chain DOCKER-ISOLATION-STAGE-1 (1
> references) Chain DOCKER-ISOLATION-STAGE-2 (0 references) Chain
> DOCKER-USER (1 references) 0 0 ACCEPT all -- any
> docker+ anywhere anywhere 0 0 ~comb2 all --
> any docker+ anywhere anywhere 0 0 ~comb2
> all -- any docker+ anywhere anywhere
>
>
> root@dk1:~# systemctl restart docker
>
>
> root@dk1:~# iptables -L -v | grep -i docker 0 0 ~comb3 all
> -- docker+ any anywhere anywhere 392 163K
> DOCKER-USER all -- any any anywhere anywhere
> 392 163K DOCKER-ISOLATION-STAGE-1 all -- any any
> anywhere anywhere 0 0 ACCEPT all -- any
> docker0 anywhere anywhere ctstate
> RELATED,ESTABLISHED 0 0 DOCKER all -- any docker0
> anywhere anywhere 0 0 ACCEPT all -- docker0
> !docker0 anywhere anywhere 0 0 ACCEPT all --
> docker0 docker0 anywhere anywhere 0 0 DOCKER
> all -- any br-ac3db22b180b anywhere anywhere 15
> 868 DOCKER all -- any br-61206706fa14 anywhere
> anywhere 0 0 ~comb0 all -- docker+ any anywhere
> anywhere 554 85844 DOCKER all -- any any anywhere
> anywhere 0 0 ACCEPT all -- any docker+ anywhere
> anywhere Chain DOCKER (4 references) Chain DOCKER-ISOLATION-STAGE-1
> (1 references) 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0
> !docker0 anywhere anywhere 0 0
> DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b !br-ac3db22b180b
> anywhere anywhere 61 16558 DOCKER-ISOLATION-STAGE-2
> all -- br-61206706fa14 !br-61206706fa14 anywhere
> anywhere Chain DOCKER-USER (1 references) 0 0 ACCEPT all
> -- any docker+ anywhere anywhere 0 0 ~comb2
> all -- any docker+ anywhere anywhere 0 0
> ~comb2 all -- any docker+ anywhere anywhere
> Chain DOCKER-ISOLATION-STAGE-2 (3 references) 0 0 DROP
> all -- any docker0 anywhere anywhere
>
>
> It keeps it on a reload.
>
> root@dk1:~# systemctl reload shorewall root@dk1:~# iptables -L -v
> | grep -i docker 0 0 ~comb3 all -- docker+ any
> anywhere anywhere 59 14486 DOCKER-USER all -- any
> any anywhere anywhere 59 14486
> DOCKER-ISOLATION-STAGE-1 all -- any any anywhere
> anywhere 0 0 DOCKER all -- any docker0 anywhere
> anywhere 0 0 ACCEPT all -- any docker0 anywhere
> anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT
> all -- docker0 !docker0 anywhere anywhere 0 0
> ACCEPT all -- docker0 docker0 anywhere anywhere
> 0 0 DOCKER all -- any br-ac3db22b180b anywhere
> anywhere 4 204 DOCKER all -- any br-61206706fa14
> anywhere anywhere 0 0 ~comb0 all -- docker+
> any anywhere anywhere 17 1888 DOCKER all --
> any any anywhere anywhere 0 0 ACCEPT all
> -- any docker+ anywhere anywhere Chain DOCKER (4
> references) Chain DOCKER-ISOLATION-STAGE-1 (1 references) 0 0
> DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere
> anywhere 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b
> !br-ac3db22b180b anywhere anywhere 22 5605
> DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14 !br-61206706fa14
> anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (3
> references) 0 0 DROP all -- any docker0 anywhere
> anywhere Chain DOCKER-USER (1 references) 0 0 ACCEPT all
> -- any docker+ anywhere anywhere 0 0 ~comb2
> all -- any docker+ anywhere anywhere 0 0
> ~comb2 all -- any docker+ anywhere anywhere
>
>
> root@dk1:~# systemctl restart docker
>
> root@dk1:~# /var/lib/shorewall/firewall reload > trace 2>&1
>
>
> root@dk1:~# cat trace Reloading Shorewall.... done. Everything
> looks fine after reload.
>
> root@dk1:~# iptables -L -v | grep -i docker 0 0 ~comb3 all
> -- docker+ any anywhere anywhere 769 364K
> DOCKER-USER all -- any any anywhere anywhere
> 769 364K DOCKER-ISOLATION-STAGE-1 all -- any any
> anywhere anywhere 0 0 DOCKER all -- any
> docker0 anywhere anywhere 0 0 ACCEPT all --
> any docker0 anywhere anywhere ctstate
> RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 !docker0
> anywhere anywhere 0 0 ACCEPT all -- docker0
> docker0 anywhere anywhere 0 0 DOCKER all --
> any br-ac3db22b180b anywhere anywhere 24 1424
> DOCKER all -- any br-61206706fa14 anywhere
> anywhere 0 0 ~comb0 all -- docker+ any anywhere
> anywhere 77 10905 DOCKER all -- any any anywhere
> anywhere 0 0 ACCEPT all -- any docker+ anywhere
> anywhere Chain DOCKER (4 references) Chain DOCKER-ISOLATION-STAGE-1
> (1 references) 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0
> !docker0 anywhere anywhere 0 0
> DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b !br-ac3db22b180b
> anywhere anywhere 68 29638 DOCKER-ISOLATION-STAGE-2
> all -- br-61206706fa14 !br-61206706fa14 anywhere
> anywhere Chain DOCKER-ISOLATION-STAGE-2 (3 references) 0 0 DROP
> all -- any docker0 anywhere anywhere Chain
> DOCKER-USER (1 references) 0 0 ACCEPT all -- any
> docker+ anywhere anywhere 0 0 ~comb2 all --
> any docker+ anywhere anywhere 0 0 ~comb2
> all -- any docker+ anywhere anywhere
>
>
> root@dk1:~# systemctl restart docker
>
> root@dk1:~# iptables-save > iptables.save.after.docker.restart
>
> root@dk1:~# systemctl reload shorewall.service
>
> root@dk1:~# iptables-save > iptables.save.after.shorewall.reload
>
> root@dk1:~# systemctl restart shorewall.service
>
> root@dk1:~# iptables-save > iptables.save.after.shorewall.restart
>
>
> I am wondering how it comes to this different behavior on restart
> and reload.
With RESTART=restart in shorewall.conf, 'restart' does a 'stop'
followed by a 'start' whereas 'reload' essentially does a 'start'.
What I don't understand is why restart sometimes does the right thing
and other times it does the wrong thing.
I've done some cleanup of the Docker-related code in the attached patches:
patch /usr/share/shorewall/prog.footer < ISOLATION1.patch
cd /usr/share/shorewall/Shorewall/
patch -p4 < path/to/ISOLATION2.patch
shorewall compile
shorewall reload
sh -x /var/lib/shorewall/firewall restart > trace 2>&1
If the last operation failed to correctly restore the Docker chains,
then please forward /var/lib/shorewall/firewall and the trace file.
Thanks,
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5UVJwACgkQluaz8kI6
TRAKXg/9EhF7fOCi7uBAW/qCdpHgLsgW5taZdV4yEIc0MOrRmPMKUXt9koOyB9Db
/5hJ+NhMZjYijLsYwidtI1jSFVtao0iUxlcCrKCbqGLb4kNT5dxGF9FFsyODdk4r
tQX4USH70W7vxn3kixJgyXpeU3jGJVzCpLO/9r8AGr1RcSq+OowJplOhqfmA8Lkn
A2G8Jk2YjF2nslKYKi3nWuL/Cd4kXMBOV911tNztC05K8vd0G2m1+vgzehiGZscI
xNGcSRjYc7BtXWKAbYqJJwAghtmQzLH9+CqwLlm3W5gsPlKgPgzpxHHLnIUpt8QV
kLRPUc1nQqqhfpRfhtyuQ6mD8g3Mz3zP3/DYNzmQrWEkkGK+46J55m2DMiqoCXsi
CXf2XZOk4OoDKZslFjK/Iu53Msy9W5eSmKFAtZ2jKe6Ce+abN/uhLDytk70yYSX5
/8VzGO+Bz+Yx/EJvNw3AM4hALzDKQX1jvfBxo8o3ReWxHAQjEyYcARvNJMG86uUY
5Xd3LoG+lc0S2nctpceDHYeSCGyFEF/lnaPM7jp0icTjIHXVaRqyibmoH69utGoR
P46qnX45Z/cpFOeLCF7h+0GCNnNGznDDU4SIGyoLxVKJW8v8Vb2FMKVVISN69V2P
SNE3L+KbxOH1hnuhhPeUv5LsgUNT0QECBj2Y8QZnkUS67gKfIUU=
=ju/w
-----END PGP SIGNATURE-----
diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index f72f648c9..5b5ccba01 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -148,7 +148,8 @@ g_compiled= g_file= g_docker= g_dockeringress= -g_dockernetwork= +g_dockeriso= +g_dockerisostage= g_forcereload= g_fallback=
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index df30d8884..404554b45 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3369,13 +3369,13 @@ sub initialize_chain_table($) {
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
$chainref = new_standard_chain( 'DOCKER-INGRESS' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
- add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
- $chainref = new_standard_chain( 'DOCKER-USER' );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
+ $chainref = new_standard_chain( 'DOCKER-USER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
- add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
- add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' );
@@ -8703,23 +8703,15 @@ sub save_docker_rules($) {
qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
- qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
- qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+ qq( rm -f \${VARDIR}/.filter_DOCKER-*),
+ qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
+ qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+ qq( [ -n "\$g_dockeriso" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
qq(),
- qq( case "\$g_dockernetwork" in),
- qq( One\)),
- qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
- qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
- qq( ;;),
- qq( Two\)),
- qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
- qq( if chain_exists DOCKER_ISOLATION; then),
- qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
- qq( fi),
- qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
- qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
- qq( ;;),
- qq( esac),
+ qq( if [ -n "\$g_dockerisostage" ]; then),
+ qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
+ qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
+ qq( fi),
qq(),
);
@@ -9240,10 +9232,10 @@ sub create_netfilter_load( $ ) {
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode;
- emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+ emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
} elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode;
- emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+ emit( qq([ "\$g_dockerisostage" = Two ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@@ -9355,11 +9347,11 @@ sub preview_netfilter_load() {
print "\n";
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode1;
- print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+ print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
print "\n";
- } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+ } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode1;
- print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+ print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) );
print "\n";
} elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode1;
@@ -9456,10 +9448,10 @@ sub create_stop_load( $ ) {
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode;
- emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+ emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
} elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode;
- emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+ emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index 926326708..c8977bd4b 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -268,13 +268,10 @@ sub generate_script_2() {
emit( '',
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
);
- emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
- emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
- emit( 'if chain_exists DOCKER-ISOLATION-STAGE-1; then',
- ' g_dockernetwork=Two',
- 'elif chain_exists DOCKER-ISOLATION; then',
- ' g_dockernetwork=One',
- 'fi' );
+ emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
+ emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
+ emit( 'chain_exists DOCKER-ISOLATION && dockeriso=Yes' );
+ emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && dockerisostage=Yes' );
}
pop_indent;
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 0ff7fea09..55ed6ba53 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -679,18 +679,10 @@ sub create_docker_rules() {
my $chainref = $filter_table->{FORWARD};
- add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
- add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3', );
- add_commands( $chainref ,
- '',
- 'case "$g_dockernetwork" in',
- ' One)',
- ' echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
- ' ;;',
- ' Two)',
- ' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
- ' ;;',
- 'esac' );
+ add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3' );
+ add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3' );
+ add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
+ add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
if ( my $dockerref = known_interface('docker0') ) {
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
ISOLATION1.patch.sig
Description: Binary data
ISOLATION2.patch.sig
Description: Binary data
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
