From: Tom Eastep <teas...@shorewall.net>> Sent: 03.03.2020 22:10 To: shorewall-users@lists.sourceforge.net Topic: Re: [Shorewall-users] Shorewall removes Docker iptable chain "DOCKER-ISOLATION-STAGE-1" on restart
>On 2/24/20 2:56 PM, Tom Eastep wrote: >> On 2/24/20 4:16 AM, Michael Uray wrote: >> >>>> I am wondering how it comes to this different behavior on restart and >>>> reload. >> >> With RESTART=restart in shorewall.conf, 'restart' does a 'stop' >> followed by a 'start' whereas 'reload' essentially does a 'start'. >> What I don't understand is why restart sometimes does the right thing >> and other times it does the wrong thing. >> >> I've done some cleanup of the Docker-related code in the attached >> patches: >> >> patch /usr/share/shorewall/prog.footer < ISOLATION1.patch cd >> /usr/share/shorewall/Shorewall/ patch -p4 < path/to/ISOLATION2.patch >> shorewall compile shorewall reload sh -x /var/lib/shorewall/firewall >> restart >> trace 2>>&1 >> >> If the last operation failed to correctly restore the Docker chains, >> then please forward /var/lib/shorewall/firewall and the trace file. >> > > Hi Michael, > > What is the status of this issue? I would like to release 5.2.3.7, but > would prefer to not do so until this is resolved. > Thanks, > - -Tom Hello Tom, I just tested it, it still does not preserve all Docker iptables. Please find the trace file as well as the commands which I did run attached. So far as I noticed does a restart always remove the iptables and a reload never does. Thanks Michael
trace
Description: trace
root@dk1:~# cat /etc/shorewall/shorewall.conf | grep RESTART
RESTART=restart
root@dk1:~# patch /usr/share/shorewall/prog.footer < ISOLATION1.patch
(Stripping trailing CRs from patch; use --binary to disable.)
patching file /usr/share/shorewall/prog.footer
root@dk1:~# cd /usr/share/shorewall/Shorewall/
root@dk1:/usr/share/shorewall/Shorewall# patch -p4 < /root/ISOLATION2.patch
(Stripping trailing CRs from patch; use --binary to disable.)
patching file Chains.pm
Hunk #1 succeeded at 3366 (offset -3 lines).
Hunk #2 succeeded at 8696 with fuzz 2 (offset -7 lines).
Hunk #3 succeeded at 9225 (offset -7 lines).
Hunk #4 succeeded at 9340 (offset -7 lines).
Hunk #5 succeeded at 9441 (offset -7 lines).
(Stripping trailing CRs from patch; use --binary to disable.)
patching file Compiler.pm
(Stripping trailing CRs from patch; use --binary to disable.)
patching file Misc.pm
root@dk1:/usr/share/shorewall/Shorewall# shorewall compile
Compiling using Shorewall 5.2.3.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall/policy...
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/conntrack...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Optimizing Ruleset...
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/firewall
root@dk1:/usr/share/shorewall/Shorewall# /etc/init.d/docker restart
[ ok ] Restarting docker (via systemctl): docker.service.
root@dk1:/usr/share/shorewall/Shorewall# iptables -L -v | grep -i docker
0 0 ~comb3 all -- docker+ any anywhere anywhere
44 13251 DOCKER-USER all -- any any anywhere anywhere
44 13251 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere
anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere
ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
52 3096 DOCKER all -- any br-61206706fa14 anywhere
anywhere
0 0 DOCKER all -- any br-ac3db22b180b anywhere
anywhere
0 0 ~comb0 all -- docker+ any anywhere anywhere
1506 258K DOCKER all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker+ anywhere anywhere
Chain DOCKER (4 references)
Chain DOCKER-USER (1 references)
0 0 ACCEPT all -- any docker+ anywhere anywhere
0 0 ~comb2 all -- any docker+ anywhere anywhere
0 0 ~comb2 all -- any docker+ anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere
anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b !br-ac3db22b180b
anywhere anywhere
22 5235 DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14 !br-61206706fa14
anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
0 0 DROP all -- any docker0 anywhere anywhere
root@dk1:/usr/share/shorewall/Shorewall# shorewall reload
Reloading Shorewall....
Initializing...
Setting up Route Filtering...
Setting up Martian Logging...
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
done.
root@dk1:/usr/share/shorewall/Shorewall# iptables -L -v | grep -i docker
0 0 ~comb3 all -- docker+ any anywhere anywhere
0 0 DOCKER-USER all -- any any anywhere anywhere
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere
ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
0 0 DOCKER all -- any br-61206706fa14 anywhere
anywhere
0 0 DOCKER all -- any br-ac3db22b180b anywhere
anywhere
0 0 ~comb0 all -- docker+ any anywhere anywhere
14 1468 DOCKER all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker+ anywhere anywhere
Chain DOCKER (4 references)
Chain DOCKER-USER (1 references)
0 0 ACCEPT all -- any docker+ anywhere anywhere
0 0 ~comb2 all -- any docker+ anywhere anywhere
0 0 ~comb2 all -- any docker+ anywhere anywhere
root@dk1:/usr/share/shorewall/Shorewall# sh -x /var/lib/shorewall/firewall
restart > trace 2>&1
root@dk1:/usr/share/shorewall/Shorewall# iptables -L -v | grep -i docker
0 0 ~comb3 all -- docker+ any anywhere anywhere
119 52516 DOCKER-USER all -- any any anywhere anywhere
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere
ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
4 240 DOCKER all -- any br-61206706fa14 anywhere
anywhere
0 0 DOCKER all -- any br-ac3db22b180b anywhere
anywhere
0 0 ~comb0 all -- docker+ any anywhere anywhere
12 1288 DOCKER all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker+ anywhere anywhere
Chain DOCKER (4 references)
Chain DOCKER-USER (1 references)
0 0 ACCEPT all -- any docker+ anywhere anywhere
0 0 ~comb2 all -- any docker+ anywhere anywhere
0 0 ~comb2 all -- any docker+ anywhere anywhere
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
