Hello, I have started playing around with docker (https://www.docker.io/) and am having trouble to integrate the "docker0" bridge it creates on the fly into my shorewall setup (version 4.5.16.1) on debian testing. IP forwarding is on and I have defined a "doc" ipv4 zone and the interfaces has an entry like so,> doc docker0 tcpflags,nosmurfs,logmartians,bridge,routeback,optionaland "policy" like so>doc net ACCEPTHowever, when firing up an container and trying to acces the web, "shorewall logwatch" is giving me entries like>doc2net:REJECT:IN=docker0 OUT=eth0 PHYSIN=veth3sm8hc SRC=172.17.0.7DST=192.168.100.1 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=19346 DF PROTO=UDP SPT=52963 DPT=53 LEN=48 Can anyone hint at what else I need? Docker generates on the fly a interface like so: vethuZdLHZ Link encap:Ethernet HWaddr fe:65:f2:16:ef:60 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15 errors:0 dropped:0 overruns:0 frame:0 TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1166 (1.1 KiB) TX bytes:42 (42.0 B) Do I have to list this explicitly and can wildcarding be used in interface definition? Thanks for any pointers. Sincerely, Joh ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
On 8/29/2013 1:44 PM, Johannes Graumann wrote:> Hello, > > I have started playing around with docker (https://www.docker.io/) and am > having trouble to integrate the "docker0" bridge it creates on the fly into > my shorewall setup (version 4.5.16.1) on debian testing. > > IP forwarding is on and I have defined a "doc" ipv4 zone and the interfaces > has an entry like so, >> doc docker0 tcpflags,nosmurfs,logmartians,bridge,routeback,optional > > and "policy" like so >> doc net ACCEPT > > However, when firing up an container and trying to acces the web, "shorewall > logwatch" is giving me entries like >> doc2net:REJECT:IN=docker0 OUT=eth0 PHYSIN=veth3sm8hc SRC=172.17.0.7 > DST=192.168.100.1 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=19346 DF PROTO=UDP > SPT=52963 DPT=53 LEN=48 > > Can anyone hint at what else I need? > > Docker generates on the fly a interface like so: > vethuZdLHZ Link encap:Ethernet HWaddr fe:65:f2:16:ef:60 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:15 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:1166 (1.1 KiB) TX bytes:42 (42.0 B) > > Do I have to list this explicitly and can wildcarding be used in interface > definition? > > Thanks for any pointers. >It would be helpful to see the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
Tom Eastep wrote:> On 8/29/2013 1:44 PM, Johannes Graumann wrote: >> Hello, >> >> I have started playing around with docker (https://www.docker.io/) and am >> having trouble to integrate the "docker0" bridge it creates on the fly >> into my shorewall setup (version 4.5.16.1) on debian testing. >> >> IP forwarding is on and I have defined a "doc" ipv4 zone and the >> interfaces has an entry like so, >>> doc docker0 >>> tcpflags,nosmurfs,logmartians,bridge,routeback,optional >> >> and "policy" like so >>> doc net ACCEPT >> >> However, when firing up an container and trying to acces the web, >> "shorewall logwatch" is giving me entries like >>> doc2net:REJECT:IN=docker0 OUT=eth0 PHYSIN=veth3sm8hc SRC=172.17.0.7 >> DST=192.168.100.1 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=19346 DF PROTO=UDP >> SPT=52963 DPT=53 LEN=48 >> >> Can anyone hint at what else I need? >> >> Docker generates on the fly a interface like so: >> vethuZdLHZ Link encap:Ethernet HWaddr fe:65:f2:16:ef:60 >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >> RX packets:15 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:1000 >> RX bytes:1166 (1.1 KiB) TX bytes:42 (42.0 B) >> >> Do I have to list this explicitly and can wildcarding be used in >> interface definition? >> >> Thanks for any pointers. >> > > It would be helpful to see the output of ''shorewall dump'' collected as > described at http://www.shorewall.net/support.htm#GuidelinesAttached. thank you for your time. Sincerely, Joh ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
On 8/30/2013 12:33 PM, Johannes Graumann wrote:> Tom Eastep wrote: > >> On 8/29/2013 1:44 PM, Johannes Graumann wrote: >>> Hello, >>> >>> I have started playing around with docker (https://www.docker.io/) and am >>> having trouble to integrate the "docker0" bridge it creates on the fly >>> into my shorewall setup (version 4.5.16.1) on debian testing. >>> >>> IP forwarding is on and I have defined a "doc" ipv4 zone and the >>> interfaces has an entry like so, >>>> doc docker0 >>>> tcpflags,nosmurfs,logmartians,bridge,routeback,optional >>> >>> and "policy" like so >>>> doc net ACCEPT >>> >>> However, when firing up an container and trying to acces the web, >>> "shorewall logwatch" is giving me entries like >>>> doc2net:REJECT:IN=docker0 OUT=eth0 PHYSIN=veth3sm8hc SRC=172.17.0.7 >>> DST=192.168.100.1 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=19346 DF PROTO=UDP >>> SPT=52963 DPT=53 LEN=48 >>> >>> Can anyone hint at what else I need? >>> >>> Docker generates on the fly a interface like so: >>> vethuZdLHZ Link encap:Ethernet HWaddr fe:65:f2:16:ef:60 >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >>> RX packets:15 errors:0 dropped:0 overruns:0 frame:0 >>> TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 >>> collisions:0 txqueuelen:1000 >>> RX bytes:1166 (1.1 KiB) TX bytes:42 (42.0 B) >>> >>> Do I have to list this explicitly and can wildcarding be used in >>> interface definition? >>> >>> Thanks for any pointers. >>> >> >> It would be helpful to see the output of ''shorewall dump'' collected as >> described at http://www.shorewall.net/support.htm#Guidelines > > Attached. thank you for your time. >The Shorewall configuration that was running when the dump was taken is not the same as the one that produced the log messages. There is no logging rule in the current configuration that has log prefix ''doc2net:REJECT:'' which appears in the log messages. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
Tom Eastep wrote:> On 8/30/2013 12:33 PM, Johannes Graumann wrote: >> Tom Eastep wrote: >> >>> On 8/29/2013 1:44 PM, Johannes Graumann wrote: >>>> Hello, >>>> >>>> I have started playing around with docker (https://www.docker.io/) and >>>> am having trouble to integrate the "docker0" bridge it creates on the >>>> fly into my shorewall setup (version 4.5.16.1) on debian testing. >>>> >>>> IP forwarding is on and I have defined a "doc" ipv4 zone and the >>>> interfaces has an entry like so, >>>>> doc docker0 >>>>> tcpflags,nosmurfs,logmartians,bridge,routeback,optional >>>> >>>> and "policy" like so >>>>> doc net ACCEPT >>>> >>>> However, when firing up an container and trying to acces the web, >>>> "shorewall logwatch" is giving me entries like >>>>> doc2net:REJECT:IN=docker0 OUT=eth0 PHYSIN=veth3sm8hc SRC=172.17.0.7 >>>> DST=192.168.100.1 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=19346 DF >>>> PROTO=UDP SPT=52963 DPT=53 LEN=48 >>>> >>>> Can anyone hint at what else I need? >>>> >>>> Docker generates on the fly a interface like so: >>>> vethuZdLHZ Link encap:Ethernet HWaddr fe:65:f2:16:ef:60 >>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 >>>> RX packets:15 errors:0 dropped:0 overruns:0 frame:0 >>>> TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 >>>> collisions:0 txqueuelen:1000 >>>> RX bytes:1166 (1.1 KiB) TX bytes:42 (42.0 B) >>>> >>>> Do I have to list this explicitly and can wildcarding be used in >>>> interface definition? >>>> >>>> Thanks for any pointers. >>>> >>> >>> It would be helpful to see the output of ''shorewall dump'' collected as >>> described at http://www.shorewall.net/support.htm#Guidelines >> >> Attached. thank you for your time. >> > > The Shorewall configuration that was running when the dump was taken is > not the same as the one that produced the log messages. There is no > logging rule in the current configuration that has log prefix > ''doc2net:REJECT:'' which appears in the log messages. > > -TomHa. Could this be a case of network-manager/shorewall interference? Joh ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
On 8/30/2013 2:41 PM, Johannes Graumann wrote:>> >> The Shorewall configuration that was running when the dump was taken is >> not the same as the one that produced the log messages. There is no >> logging rule in the current configuration that has log prefix >> ''doc2net:REJECT:'' which appears in the log messages. >> >> -Tom > > Ha. Could this be a case of network-manager/shorewall interference? >I don''t see how. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk