Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flushing error #68

Open
difr opened this issue Mar 17, 2020 · 6 comments
Open

flushing error #68

difr opened this issue Mar 17, 2020 · 6 comments

Comments

@difr
Copy link

difr commented Mar 17, 2020
edited
Loading

At first, thank you very much for nice tool.
I use it with docker. Docker changes some builtin chains and makes serveral new chains. Filter's chain "DOCKER-USER" is one of these. This chain is called from builin chain "FORWARD". So i preserve "FORWARD" and make some rules in "DOCKER-USER" (it is purposed by docker for user's rules). And now I call "ferm -F" and it does not restore empty "DOCKER-USER". Coz it thinks that its new (user's) chain. But it is not. It was there before and it was referenced (by jump) from "FORWARD". So I have error:

iptables-restore v1.4.21: Couldn't load target `DOCKER-USER':No such file or directory

Error occurred at line: 21
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Failed to run /usr/sbin/iptables-restore

Coz there is "-A FORWARD -j DOCKER-USER" and there is no "DOCKER-USER".

$VERSION = '2.5.1';
@MaxKellermann
Copy link
Owner

I don't understand. How can I reproduce the problem?

@difr
Copy link
Author

difr commented Apr 15, 2020
edited
Loading

it was 1 month ago ) but ok, here is fragment

	table filter {
		chain (DOCKER DOCKER-ISOLATION-STAGE-1 DOCKER-ISOLATION-STAGE-2 FORWARD) @preserve;
		chain DOCKER-USER {
			interface $DEV_PUBLIC {
				saddr $TRUSTED_IP RETURN;
				DROP;
			}
			RETURN;
		}

problem is that Ferm thinks that he has created chain "DOCKER-USER". but its not true. it was created before. not by Ferm, but by Docker. it was empty. purposed special for user's rules.
and after I call "ferm -F" and it does not restore empty "DOCKER-USER". but "DOCKER-USER" is referenced in "FORWARD". so whole flushing is failed.
is it clearer now? sorry for my english )

@MaxKellermann
Copy link
Owner

Your rules show me you told ferm to create a chain called "DOCKER-USER".
Tell me, technically, how should ferm determine whether it should create an empty chain with -F for custom chains?
You only say that ferm has not created the chain, but technically, it really has. When you install a new ruleset to the kernel, it does not matter what was there before. ferm also "creates" the chain "DOCKER" even though one with that name has existed before - and afterwards, it has the same contents as before - but technically, that's a new chain which just happens to have the same contents.
What exact technical behavior do you expect of ferm?

@difr
Copy link
Author

difr commented Apr 15, 2020

check on existence before creation, of course )
and return old content (at least dont delete, its enough in this case) on flushing.
or "semi-preserve" directive )

@MaxKellermann
Copy link
Owner

So when you start ferm, it shall check if the chain exists. Where does ferm store this piece of information?
Because later, you run ferm again, this time with -F, how shall ferm remember?

@difr
Copy link
Author

difr commented Apr 16, 2020

i run it as service. -F is for stop. so on every stop or restart of ferm-service i see this error.
dont know. just report you about such behaivor. i think its not correct.
i think, simplest is to make new directive for such cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MaxKellermann @difr