[Shorewall-users] Docker 18.09.1 (swarm mode) DOCKER-INGRESS chain from nat table gets dropped

[Niko Mayr]

Hi!

We're currently experimenting with Shorewall and Docker in swarm mode 
and we're facing some problems.


Setup:

- Ubuntu 18.04.1 LTS (4.15.0-45)

- Docker 18.09.1 (swarm mode)

- Shorewall 5.2.3


Problem:

Utilizing the routing-mesh Docker creates rules in the DOCKER-INGRESS 
chain in the nat table. Currently Shorewall drops the whole chain from 
the nat table.

As Docker also creates rules for the OUTPUT chain referencing the 
DOCKER-INGRESS chain, which are tracked by Shorewall, that currently 
leads to a crush on restart.


Details

The Shorewall trace and excerpts of the rules created by Docker and the 
Shorewall export logic of the DOCKER-INGRESS chains are attached.


Thanks and best regards,

Niko

iptables-restore v1.6.1: Couldn't load target `DOCKER-INGRESS':No such file or 
directory

Error occurred at line: 15
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
  ERROR: /sbin/iptables-restore Failed.
iptables-restore v1.6.1: Couldn't load target `DOCKER-INGRESS':No such file or 
directory
 Error occurred at line: 38
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
   ERROR: iptables-restore Failed. Input is in 
/var/lib/shorewall/.iptables-restore-input
Terminated
iptables -N DOCKER-INGRESS
chain_exists DOCKER-INGRESS   && g_dockeringress=Yes
[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3
[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3
[ -f ${VARDIR}/.filter_DOCKER-INGRESS      ] && cat 
${VARDIR}/.filter_DOCKER-INGRESS   >&3
[ -n "$g_dockeringress" ] && ${IPTABLES} -t filter -S DOCKER-INGRESS   | tail 
-n +2 > ${VARDIR}/.filter_DOCKER-INGRESS
rm -f ${VARDIR}/.filter_DOCKER-INGRESS
    [ -n "$g_dockeringress" ] && ${IPTABLES} -t filter -S DOCKER-INGRESS   | 
tail -n +2 > ${VARDIR}/.filter_DOCKER-INGRESS
    rm -f ${VARDIR}/.filter_DOCKER-INGRESS
[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3
[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3
[ -f ${VARDIR}/.filter_DOCKER-INGRESS      ] && cat 
${VARDIR}/.filter_DOCKER-INGRESS   >&3

*nat
...
:DOCKER-INGRESS - [0:0]
...
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-INGRESS
-A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER-INGRESS
-A DOCKER-INGRESS -p tcp -m tcp --dport 10000 -j DNAT --to-destination 
172.18.0.2:10000
-A DOCKER-INGRESS -j RETURN
COMMIT
*filter
...
:DOCKER-INGRESS - [0:0]
...
-A FORWARD -j DOCKER-INGRESS
-A DOCKER-INGRESS -p tcp -m tcp --dport 10000 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 
10000 -j ACCEPT
-A DOCKER-INGRESS -j RETURN
COMMIT

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users