Shorewall and Docker - possible change request
Current version of Shorewall => 5.1.11.1
Docker version => 18.03.0-ce (works)
Docker version => 18.06.1-ce (does not work)
Problem statement (you may already be aware):
I have been successfully using Shorewall with Docker in a development
environment with the above earlier version.
On provisioning a new server with the same version of Shorewall but the
latest version of Docker, it no longer works.
On upgrading to a later eg. 18.06 version of Docker, Shorewall no longer
manages the firewall correctly because *docker* seems to have changed
how it works.
From their change log: "Improve scalability of bridge network isolation
rules docker/libnetwork#2117."
Diff available here:
https://codecov.io/gh/docker/libnetwork/pull/2117/diff?src=pr&el=tree#diff-ZHJpdmVycy9icmlkZ2Uvc2V0dXBfaXBfdGFibGVzLmdv
They seem to have deprecated chain "DOCKER-ISOLATION", and now use
"DOCKER-ISOLATION-STAGE-1" and "DOCKER-ISOLATION-STAGE-2" instead.
I suspect that Shorewall expects the former and wipes out the latter.
This prevents new containers from being spun-up, as their networks
cannot be created.
This isn't exactly Shorewall's fault, but I suspect that a lot of people
use its nice plug and play features with 'Docker=Yes'.
Would it be straight forward to patch for this?
Regards,
Tony Rogers.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
