On 8/9/2021 5:38 AM, Jernej Vodopivec via Shorewall-users wrote: > Hi, > > shorewall restart fails occassionally complaining one of chains is missing. > There are multiple docker networks configured on VM/host. > > Shorewall version: 5.2.3.4-1 (debian 11). Kernel running: Debian. > > /etc/shorewall/interfaces > ############################################################################### > #ZONE INTERFACE OPTIONS > net ens192 > dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=ens192 > dock docker0 bridge > db_maria br-0637e091497f > tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1 > www1 br-7172e1291701 tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1 > www2 br-33696d489f5a tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1 > > I already deleted db_maria network/zone and recreated it again. Same issue. > > If restart fails it always fail for db_maria network only. It hasn't failed > for any other docker network/interface. > Usually shorewall DEBUG restart is needed to restart succesfully. > > Sample output > > 1. Run – without debug > # shorewall restart > Compiling using Shorewall 5.2.3.4... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Compiling /etc/shorewall/zones... > Compiling /etc/shorewall/interfaces... > Determining Hosts in Zones... > Locating Action Files... > Compiling /etc/shorewall/policy... > Adding Anti-smurf Rules > Adding rules for DHCP > Compiling TCP Flags filtering... > Compiling Kernel Route Filtering... > Compiling Martian Logging... > Compiling Accept Source Routing... > Compiling MAC Filtration -- Phase 1... > Compiling /etc/shorewall/rules... > Compiling /etc/shorewall/conntrack... > Compiling MAC Filtration -- Phase 2... > Applying Policies... > Generating Rule Matrix... > Optimizing Ruleset... > Creating iptables-restore input... > Shorewall configuration compiled to /var/lib/shorewall/.restart > Stopping Shorewall.... > Preparing iptables-restore input... > Running /sbin/iptables-restore --wait 60... > iptables-restore v1.8.7 (nf_tables): Chain 'db_maria_frwd' does not exist > Error occurred at line: 131 > Try `iptables-restore -h' or 'iptables-restore --help' for more information. > ERROR: /sbin/iptables-restore --wait 60 Failed. > done. > Starting Shorewall.... > Initializing... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Accept Source Routing... > Preparing iptables-restore input... > Running /sbin/iptables-restore --wait 60... > Processing /etc/shorewall/started ... > done. > > > > 1. Run – with debug > # shorewall debug restart > Stopping Shorewall.... > Preparing iptables-restore input... > Running debug_restore_input... > iptables v1.8.7 (nf_tables): Chain 'db_maria_frwd' does not exist > Try `iptables -h' or 'iptables --help' for more information. > ERROR: Command "/sbin/iptables --wait -t filter -A FORWARD -i > br-0637e091497f -j db_maria_frwd" Failed > Terminated > > > 1. Run – without debug > # shorewall restart > Stopping Shorewall.... > Preparing iptables-restore input... > Running /sbin/iptables-restore --wait 60... > done. > Starting Shorewall.... > Initializing... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Accept Source Routing... > Preparing iptables-restore input... > Running /sbin/iptables-restore --wait 60... > Processing /etc/shorewall/started ... > done. > > > > 1. Run -without debug > # shorewall restart > Stopping Shorewall.... > Preparing iptables-restore input... > Running /sbin/iptables-restore --wait 60... > iptables-restore v1.8.7 (nf_tables): Chain 'db_maria_frwd' does not exist > Error occurred at line: 131 > Try `iptables-restore -h' or 'iptables-restore --help' for more information. > ERROR: /sbin/iptables-restore --wait 60 Failed. > done. > Starting Shorewall.... > Initializing... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Accept Source Routing... > Preparing iptables-restore input... > Running /sbin/iptables-restore --wait 60... > Processing /etc/shorewall/started ... > done. > > Any idea? >
couple of pointers: - Shorewall does not support nftables try reverting to iptables (1). - The support of Docker in Shorewall is an issue and it is recommended to disable Docker's interaction with ip/nftables and to disable Docker support in SW. Support for Docker in Shorewall is set to be dropped eventually. 1) https://wiki.debian.org/iptables -- Matt Darfeuille <m...@shorewall.org> Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
