-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 3/3/20 4:35 PM, Michael Uray wrote: > From: Tom Eastep <teas...@shorewall.net>> >> What is the status of this issue? I would like to release >> 5.2.3.7, but would prefer to not do so until this is resolved. > Hello Tom, > > I just tested it, it still does not preserve all Docker iptables. > Please find the trace file as well as the commands which I did run > attached. > > So far as I noticed does a restart always remove the iptables and a > reload never does.
The generated script probes the current netfilter configuration
looking for Docker-generated chains. It does that by using the
iptables -L command. In the trace, we see:
+ chain_exists DOCKER-ISOLATION-STAGE-1
+ qt1 /sbin/iptables --wait -t filter -L DOCKER-ISOLATION-STAGE-1 -n
+ local status
+ [ 1 ]
+ /sbin/iptables --wait -t filter -L DOCKER-ISOLATION-STAGE-1 -n
+ status=1
+ [ 1 -ne 4 ]
+ return 1
The relevant shell code is:
qt1()
{
local status
while [ 1 ]; do
"$@" </dev/null >/dev/null 2>&1
status=$?
[ $status -ne 4 ] && return $status
done
}
...
chain_exists() # $1 = chain name, $2 = table name (optional)
{
qt1 $g_tool -t ${2:-filter} -L $1 -n
}
...
g_tool=/sbin/iptables --wait
...
chain_exists DOCKER-ISOLATION-STAGE-1 && dockerisostage=Yes
...
So the command
/sbin/iptables --wait -t filter -L DOCKER-ISOLATION-STAGE-1 -n
is failing with exit status 1!
If there was a problem with the syntax of the command (which there
isn't), the exit status would have been 2.
This is curious, since in the output you posted we see that the chain
definitely does exist just prior to the attemted restart.
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0
anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-ac3db22b180b
!br-ac3db22b180b anywhere anywhere
22 5235 DOCKER-ISOLATION-STAGE-2 all -- br-61206706fa14
!br-61206706fa14 anywhere anywhere
The command succeeds for other chains:
+ chain_exists DOCKER-USER
+ qt1 /sbin/iptables --wait -t filter -L DOCKER-USER -n
+ local status
+ [ 1 ]
+ /sbin/iptables --wait -t filter -L DOCKER-USER -n
+ status=0
+ [ 0 -ne 4 ]
+ return 0
+ g_dockeruser=Yes
In fact, chain_exists() has been around for years and is used in many
places in Shorewall (both in the CLI and in the generated firewall
script).
After sending my post yesterday, I did find a bug in the code that
would also cause the DOCKER-ISOLATION-STAGE-* chains to be dropped.
I've attached a patch to fix that.
My only suggestion is to temporarily modify qt1 (it is in
/usr/share/shorewall/lib.common) to remove the redirection of standard
error (remove the '2>&1'). That will result in spurious iptables error
messages, but at least the trace will then show why the 'iptables -L'
command intermittently fails on your system.
One final thing -- the failing logic is executed for start, stop,
restart and reload so presumably any of these commands can loose
Docker chains.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5f1sMACgkQluaz8kI6
TRBWYQ/+P+RHR5RAcMM3LtnEbfD0guU7ek2wlTvMJjemEnOsLN82ciL92r8PWxBU
t04Y4bF9t5E29Muysk13t9PowFHjHwn0A/uZboONy87VX7wElPbjHQWqQdynZOiE
ov+1pIZaTw/MYlImO69z/03rRjD3mo2TdpZcMmm7LOfz5UVo2lX1bUI0R5Zp5NUd
wH64+qsnN0EqwxzQFbq3IsAPzRZ6Kpdy7yTLhsvMZn2O/RsSB48Q3jlt+IwYEpqI
sfEhepU9NpaNcDpNqlKz3InL5G5fmmQC6yjdlfqTYGXOfDTvYpW0NKobC0+qCgjF
vmGrr6YYACQ1W3dZPIH2DaRZQUT+jxEpDieLfKg53VA7eLZfHke8Eue554EY7m8n
+G3wPrzvTImhyAc+5R0AA3vt2J4FPriP9J0QFjb6sifMaO/bt9VSNgmVs0bkhlCh
iOD6U9vGoH6OBJeuEDglIVTqp+f6CkHjkk1Gf9Em+mxTqj5LpKL9xWvPp6Ns9LDz
jcF3CiYWeS7dlRQxMhzmF4Sg6xu7YSf/1BnN8mo45VFqXSrvzjKcmltykImiTww3
Msz23aHHiMvSoiuJAbMsBWNwLrSxi6pb2X9ZWhV3FlxYo3HLa4yIf4ePURXpEYKK
GYXZ2sEAu5kvl0rNl+EGe4ebKEW61ACkYDY5QCqtCzLs4KoxR7g=
=5fB8
-----END PGP SIGNATURE-----
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 4ddfcec11..a9fa504ed 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -9249,7 +9249,7 @@ sub create_netfilter_load( $ ) {
emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
} elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode;
- emit( qq([ "\$g_dockerisostage" = Two ] && echo ":$name - [0:0]" >&3) );
+ emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
ISOLATION2.patch.sig
Description: Binary data
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
