Hi Matt, thank you very for quick reply. Since Shorewall is abandoning Docker support I decided to migrate to manual iptables configuration to avoid any further potential issues.
Regards, Jernej > On 9 Aug 2021, at 13:45, Matt Darfeuille <m...@shorewall.org> wrote: > > On 8/9/2021 5:38 AM, Jernej Vodopivec via Shorewall-users wrote: >> Hi, >> >> shorewall restart fails occassionally complaining one of chains is missing. >> There are multiple docker networks configured on VM/host. >> >> Shorewall version: 5.2.3.4-1 (debian 11). Kernel running: Debian. >> >> /etc/shorewall/interfaces >> ############################################################################### >> #ZONE INTERFACE OPTIONS >> net ens192 >> dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,physical=ens192 >> dock docker0 bridge >> db_maria br-0637e091497f >> tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1 >> www1 br-7172e1291701 >> tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1 >> www2 br-33696d489f5a >> tcpflags,logmartians,nosmurfs,sourceroute=0,routefilter=1 >> >> I already deleted db_maria network/zone and recreated it again. Same issue. >> >> If restart fails it always fail for db_maria network only. It hasn't failed >> for any other docker network/interface. >> Usually shorewall DEBUG restart is needed to restart succesfully. >> >> Sample output >> >> 1. Run – without debug >> # shorewall restart >> Compiling using Shorewall 5.2.3.4... >> Processing /etc/shorewall/params ... >> Processing /etc/shorewall/shorewall.conf... >> Loading Modules... >> Compiling /etc/shorewall/zones... >> Compiling /etc/shorewall/interfaces... >> Determining Hosts in Zones... >> Locating Action Files... >> Compiling /etc/shorewall/policy... >> Adding Anti-smurf Rules >> Adding rules for DHCP >> Compiling TCP Flags filtering... >> Compiling Kernel Route Filtering... >> Compiling Martian Logging... >> Compiling Accept Source Routing... >> Compiling MAC Filtration -- Phase 1... >> Compiling /etc/shorewall/rules... >> Compiling /etc/shorewall/conntrack... >> Compiling MAC Filtration -- Phase 2... >> Applying Policies... >> Generating Rule Matrix... >> Optimizing Ruleset... >> Creating iptables-restore input... >> Shorewall configuration compiled to /var/lib/shorewall/.restart >> Stopping Shorewall.... >> Preparing iptables-restore input... >> Running /sbin/iptables-restore --wait 60... >> iptables-restore v1.8.7 (nf_tables): Chain 'db_maria_frwd' does not exist >> Error occurred at line: 131 >> Try `iptables-restore -h' or 'iptables-restore --help' for more information. >> ERROR: /sbin/iptables-restore --wait 60 Failed. >> done. >> Starting Shorewall.... >> Initializing... >> Setting up Route Filtering... >> Setting up Martian Logging... >> Setting up Accept Source Routing... >> Preparing iptables-restore input... >> Running /sbin/iptables-restore --wait 60... >> Processing /etc/shorewall/started ... >> done. >> >> >> >> 1. Run – with debug >> # shorewall debug restart >> Stopping Shorewall.... >> Preparing iptables-restore input... >> Running debug_restore_input... >> iptables v1.8.7 (nf_tables): Chain 'db_maria_frwd' does not exist >> Try `iptables -h' or 'iptables --help' for more information. >> ERROR: Command "/sbin/iptables --wait -t filter -A FORWARD -i >> br-0637e091497f -j db_maria_frwd" Failed >> Terminated >> >> >> 1. Run – without debug >> # shorewall restart >> Stopping Shorewall.... >> Preparing iptables-restore input... >> Running /sbin/iptables-restore --wait 60... >> done. >> Starting Shorewall.... >> Initializing... >> Setting up Route Filtering... >> Setting up Martian Logging... >> Setting up Accept Source Routing... >> Preparing iptables-restore input... >> Running /sbin/iptables-restore --wait 60... >> Processing /etc/shorewall/started ... >> done. >> >> >> >> 1. Run -without debug >> # shorewall restart >> Stopping Shorewall.... >> Preparing iptables-restore input... >> Running /sbin/iptables-restore --wait 60... >> iptables-restore v1.8.7 (nf_tables): Chain 'db_maria_frwd' does not exist >> Error occurred at line: 131 >> Try `iptables-restore -h' or 'iptables-restore --help' for more information. >> ERROR: /sbin/iptables-restore --wait 60 Failed. >> done. >> Starting Shorewall.... >> Initializing... >> Setting up Route Filtering... >> Setting up Martian Logging... >> Setting up Accept Source Routing... >> Preparing iptables-restore input... >> Running /sbin/iptables-restore --wait 60... >> Processing /etc/shorewall/started ... >> done. >> >> Any idea? >> > > couple of pointers: > - Shorewall does not support nftables try reverting to iptables (1). > - The support of Docker in Shorewall is an issue and it is recommended > to disable Docker's interaction with ip/nftables and to disable Docker > support in SW. > > > Support for Docker in Shorewall is set to be dropped eventually. > > > 1) https://wiki.debian.org/iptables > > -- > Matt Darfeuille <m...@shorewall.org> > Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ > SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ > Homepage: https://shorewall.org > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
