First Last Prev Next    This bug is not in your last search results.
Bug 43707 - docker iptables rules differs after firewall restart
docker iptables rules differs after firewall restart
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Docker
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Daniel Tröder
Sönke Schwardt-Krummrich
: interim-3
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-02 17:50 CET by Sönke Schwardt-Krummrich
Modified: 2017-04-18 08:03 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2017-03-02 17:50:55 CET 
After restarting the iptables firewall on a UCS 4.2 master without apps, there is at least one iptables chain (DOCKER-ISOLATION) that is not covered by /etc/security/packetfilter.d/20_docker.sh.

Is this a problem?

--- Before-FW-Restart   2017-03-02 17:44:47.092000000 +0100
+++ After-FW-Restart   2017-03-02 17:44:32.228000000 +0100
@@ -38,19 +38,13 @@
 
 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination         
-    0     0 DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
-    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
-    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
-    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
-    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
 
 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination         
     0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 
-Chain DOCKER (1 references)
+Chain DOCKER (0 references)
  pkts bytes target     prot opt in     out     source               destination         
 
-Chain DOCKER-ISOLATION (1 references)
+Chain DOCKER-ISOLATION (0 references)
  pkts bytes target     prot opt in     out     source               destination         
-    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
Comment 1 Daniel Tröder univentionstaff 2017-03-10 15:40:22 CET 
r77585: create missing docker chains and rules, changelog entry

Package: univention-firewall
Version: 9.0.0-9A~4.2.0.201703101540
Branch: ucs_4.2-0
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2017-03-17 17:38:25 CET 
The package has not been built due to ucslint complaining mistakenly about some lines with text "iptables". Package has been fixed and rebuilt via #42351.

OK: code change
OK: functional test
OK: changelog entry
Comment 3 Stefan Gohmann univentionstaff 2017-04-04 18:28:34 CEST 
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.