flushing error

Question

flushing error

difr opened this issue 5 years ago · 6 comments

At first, thank you very much for nice tool.
I use it with docker. Docker changes some builtin chains and makes serveral new chains. Filter's chain "DOCKER-USER" is one of these. This chain is called from builin chain "FORWARD". So i preserve "FORWARD" and make some rules in "DOCKER-USER" (it is purposed by docker for user's rules). And now I call "ferm -F" and it does not restore empty "DOCKER-USER". Coz it thinks that its new (user's) chain. But it is not. It was there before and it was referenced (by jump) from "FORWARD". So I have error:

iptables-restore v1.4.21: Couldn't load target `DOCKER-USER':No such file or directory

Error occurred at line: 21
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Failed to run /usr/sbin/iptables-restore

Coz there is "-A FORWARD -j DOCKER-USER" and there is no "DOCKER-USER".

$VERSION = '2.5.1';

Answer 1 · 2020-04-15T16:29:41.000Z

I don't understand. How can I reproduce the problem?

Answer 2 · 2020-04-15T17:20:14.000Z

it was 1 month ago ) but ok, here is fragment

	table filter {
		chain (DOCKER DOCKER-ISOLATION-STAGE-1 DOCKER-ISOLATION-STAGE-2 FORWARD) @preserve;
		chain DOCKER-USER {
			interface $DEV_PUBLIC {
				saddr $TRUSTED_IP RETURN;
				DROP;
			}
			RETURN;
		}

problem is that Ferm thinks that he has created chain "DOCKER-USER". but its not true. it was created before. not by Ferm, but by Docker. it was empty. purposed special for user's rules.
and after I call "ferm -F" and it does not restore empty "DOCKER-USER". but "DOCKER-USER" is referenced in "FORWARD". so whole flushing is failed.
is it clearer now? sorry for my english )

Answer 3 · 2020-04-15T17:40:35.000Z

Your rules show me you told ferm to create a chain called "DOCKER-USER".
Tell me, technically, how should ferm determine whether it should create an empty chain with -F for custom chains?
You only say that ferm has not created the chain, but technically, it really has. When you install a new ruleset to the kernel, it does not matter what was there before. ferm also "creates" the chain "DOCKER" even though one with that name has existed before - and afterwards, it has the same contents as before - but technically, that's a new chain which just happens to have the same contents.
What exact technical behavior do you expect of ferm?

Answer 4 · 2020-04-15T19:11:16.000Z

check on existence before creation, of course )
and return old content (at least dont delete, its enough in this case) on flushing.
or "semi-preserve" directive )

Answer 5 · 2020-04-16T07:30:57.000Z

So when you start ferm, it shall check if the chain exists. Where does ferm store this piece of information?
Because later, you run ferm again, this time with -F, how shall ferm remember?

Answer 6 · 2020-04-16T15:55:47.000Z

i run it as service. -F is for stop. so on every stop or restart of ferm-service i see this error.
dont know. just report you about such behaivor. i think its not correct.
i think, simplest is to make new directive for such cases.