View Issue Details

IDProjectCategoryView StatusLast Update
0013879CentOS-7firewalldpublic2017-09-29 14:09
Reporterakikoo Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionwon't fix 
Platformx86_64OSCentOS 7OS Version7.4.1708
Summary0013879: firewall-cmd --reload removes DOCKER-USER iptables chain
DescriptionI've installed docker-ce-17.06.2.ce-1.el7.centos.x86_64 from download.docker.com. On firewall-cmd --reload, the DOCKER-USER iptables chain gets removed from iptables. DOCKER and DOCKER-ISOLATION chains are still there after firewall-cmd --reload.
Steps To Reproduce- install CentOS 7
- enable firewalld
- install docker-ce-17.06.2.ce-1.el7.centos.x86_64 from download.docker.com
- start docker engine
- iptables -L -n -v > /tmp/iptables_before_firewalld_reload
- run firewall-cmd --reload
- iptables -L -n -v > /tmp/iptables_after_firewalld_reload
- diff -u /tmp/iptables_before_firewalld_reloa /tmp/iptables_after_firewalld_reload
Additional InformationThis happened in CentOS 7.3 too.
TagsNo tags attached.
abrt_hash
URL

Activities

akikoo

akikoo

2017-09-21 09:52

reporter   ~0030162

This happened in CentOS 7.3.1611 too.
arrfab

arrfab

2017-09-29 12:11

administrator   ~0030255

This is how Docker works, and so nothing will have to be fixed at the distro level.
Firewalld (and same for iptables-services) doesn't manage docker rules, as docker insert those iptables rules at "run time" and will not update config.
So reloading firewalld will reload the config file, and so will naturally clear the ones inserted by docker.
Evolution

Evolution

2017-09-29 14:09

administrator   ~0030259

Since you're using the docker community edition from docker, I would recommend filing this ticket with them about it as well. Docker *should* have some method of tracking what it's added rather than just being fire-and-forget.

Issue History

Date Modified Username Field Change
2017-09-21 08:24 akikoo New Issue
2017-09-21 09:52 akikoo Note Added: 0030162
2017-09-29 12:11 arrfab Status new => feedback
2017-09-29 12:11 arrfab Note Added: 0030255
2017-09-29 12:11 arrfab Status feedback => closed
2017-09-29 12:11 arrfab Resolution open => won't fix
2017-09-29 14:09 Evolution Note Added: 0030259