Bug#956106: shorewall: unable to insert jump to DOCKER-ISOLATION-STAGE-1 rule in FORWARD chain

Sun, 11 Oct 2020 04:34:31 -0700 

Package: shorewall
Version: 5.2.3.2-1
Followup-For: Bug #956106

If docker is running and shorewall is restarted, then on next docker container 
start troubles rises due to deleted iptable chain:

# docker-compose up -d
Creating network "tranm_default" with the default driver
ERROR: unable to insert jump to DOCKER-ISOLATION-STAGE-1 rule in FORWARD chain: 
 (iptables failed: iptables --wait -I FORWARD -j DOCKER-ISOLATION-STAGE-1: 
iptables v1.8.2 (nf_tables): Chain 'DOCKER-ISOLATION-STAGE-1' does not exist
Try `iptables -h' or 'iptables --help' for more information.
 (exit status 2))

This isuue seems to be fixed in shorewall release 5.2.3.7 (copy from release 
notes)

1)  When DOCKER=Yes, if both the DOCKER-ISOLATE and
    DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-*
    chains were not preserved through shorewall state changes.
    That has been corrected so that both chains are preserved if
    present.

pls. upgrade the debian package to a more actual version. At time of writing 
shorewall is already at version 5.2.8

-- System Information:
Debian Release: 10.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.8.0-0.bpo.2-amd64 (SMP w/16 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shorewall depends on:
ii  bc                     1.07.1-2+b1
ii  debconf [debconf-2.0]  1.5.71
ii  iproute2               4.20.0-2
ii  iptables               1.8.2-4
ii  lsb-base               10.2019051400
ii  perl                   5.28.1-6+deb10u1
ii  shorewall-core         5.2.3.2-1

Versions of packages shorewall recommends:
pn  libnetfilter-cthelper0  <none>

Versions of packages shorewall suggests:
ii  make           4.2.1-1.2
pn  shorewall-doc  <none>

-- Configuration Files:
/etc/shorewall/conntrack [Errno 13] Keine Berechtigung: 
'/etc/shorewall/conntrack'
/etc/shorewall/params [Errno 13] Keine Berechtigung: '/etc/shorewall/params'

-- debconf information excluded

Reply via email to