-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/16/20 7:46 AM, Diego Rivera wrote: > That's exactly the issue. It seems that on the update to Ubuntu > 19.10, the version of libvirt also got bumped up and this chain > seems to be something new created by it. What seems to be happening > is that Shorewall is ignoring all the libvirt-created chains on > bootup, except this one. So it removes the chain, but doesn't > remove the reference to it. Thus, when trying to do the restore > portion of the new rule creation, this chain is referenced even > though it no longer exists b/c shorewall itself clobbered it.
What is actually happening is that Shorewall is saving and attempting
to restore the rules that reference the chain but not the chain
itself. Shorewall always totally replaces any existing ruleset when it
starts, restarts or reloads; when Docker support is enabled, it
selectively saves/restores what it believes to be Docker-generated
chains and rules.
>
> Not sure if this is by design, an oversight, or a bug. But if
> shorewall clobbers existing chains then it should make sure to not
> reference them further during rule construction, or vice-versa (if
> it's going to reference them, it should make sure they're
> preserved!).
>
When I wrote the code to save/restore Docker-generated rules, I
assumed that all rules in the nat POSTROUTING chain that were not
associated with the SHOREWALL chain were generated by Docker and hence
needed to be preserved.
The attached patch will exclude the jump to LIBVIRT_PRT.
. /usr/share/shorewall/shorewallrc
patch $PERLLIBDIR/Shorewall/Chains.pm < LIBVIRT.patch
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5JdmAACgkQluaz8kI6
TRAP5xAAkyW9D+SApcINr7gsJineKGBjql27JqagBlGckO2JZFf3EIDr++BTkf8o
9cUUU2Xps9Z+2uGOBlGHWDW+qq3DBPMz7cc4uRqY7mS+rkeriwwBD3VDttiU7Q+1
rqB8Uiyh62ACdJ60dXhkUzNLyuJCKs3+qgEbc7SxBhv9sNtawcidYlCzfhHSMj4/
JEgt/mmlXdQvMir7b9IrhXxk8sLCHJJDKSQgGYfyooCYhpB/J2a0NB8IElwzuwcq
KExT2YSblWA9rf5raPKqLnFHjLlHj/xgGnRM7J1NUY+cJ1e5MbmEPP5AbwOe4WEP
Qpif2QxcnmT/EzplFkRYxpdRuJwPmT2iB8e8gvSDXW7dF7YJqGKfFxKuPyxYbpAl
rLGpg3W1qK8wRuPplatD4xMrqGYffiJu5GioJ98vgOv7CS6ENF+gX/3Z8AA7oeM/
V4lKm5h3izRdsjNMsuXTwoJmiG0tePDrpuyFGoR/82N95EACqWwtSi7ElDKFxtzr
PZeBk7rG088ZgEfUVnHPsJ/F4ggFAyu0zAWemIoN2LtpX+Zv1O8RP96vAJGx5RU7
2gqxFyZl0OVj+NID8ah71NqKcBj2cnVqsWgC38FPkMVNzFybllwjvihCnmVWGs0O
N13MysBEPkk50HyqPXiyZ0/KprifW7qnJLynaXQGbUSEvMHP4JQ=
=DR0Q
-----END PGP SIGNATURE-----
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 71c775583..1949ede6e 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -8716,7 +8716,7 @@ sub save_docker_rules($) {
emit( qq(if [ -n "\$g_docker" ]; then),
qq( $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
- qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
+ qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
LIBVIRT.patch.sig
Description: Binary data
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
