CentOS

The Community ENTerprise Operating System
https://forums.centos.org/

Docker - firewalld errors

https://forums.centos.org/viewtopic.php?f=48&t=61865

Page 1 of 1

Docker - firewalld errors

Posted: 2017/03/20 21:57:33
by Przemas
While I've been trying to get network discovery working I've noticed some Docker errors reported by firewalld. Here's a sample:

Code: Select all

# systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since pon 2017-03-20 20:51:20 CET; 2h 3min ago
     Docs: man:firewalld(1)
 Main PID: 1289 (firewalld)
   Memory: 38.2M
   CGroup: /system.slice/firewalld.service
           └─1289 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' failed:
mar 20 20:51:30 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed:
mar 20 20:51:30 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed:
mar 20 20:51:30 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed:
Should I worry about that?

Re: Docker - firewalld errors

Posted: 2017/07/16 20:10:31
by mathiasringhof
I'm facing the exact same thing on a new install of CentOS 7.3. As far as I can tell firewalld works as expected (ports to containers are blocked unless I open them) but I only briefly dabbled in Docker.

I found lots of older references, but the main difference is that there is no specific error message after the colon.

Code: Select all

2017-07-16 20:33:36 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed:
I checked both journalctl as well as /var/log/firewalld.

Enabled debug=4 doesn't help (me) either:

Code: Select all

2017-07-16 20:33:36 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed:
2017-07-16 20:33:36 DEBUG1: direct.passthrough('ipv4', '-I','FORWARD','-o','docker0','-j','DOCKER')
2017-07-16 20:33:36 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables -w2 -I FORWARD -o docker0 -j DOCKER
2017-07-16 20:33:36 DEBUG1: direct.passthrough('ipv4', '-t','filter','-C','FORWARD','-j','DOCKER-ISOLATION')
2017-07-16 20:33:36 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION
2017-07-16 20:33:36 DEBUG1: direct.passthrough('ipv4', '-D','FORWARD','-j','DOCKER-ISOLATION')
2017-07-16 20:33:36 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables -w2 -D FORWARD -j DOCKER-ISOLATION
2017-07-16 20:33:36 DEBUG1: direct.passthrough('ipv4', '-I','FORWARD','-j','DOCKER-ISOLATION')
2017-07-16 20:33:36 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables -w2 -I FORWARD -j DOCKER-ISOLATION
Based on the fact that I can't find a lot of information about the issue I can only assume it's not serious but still, would love to understand what is happening and why there's no error message...

Thanks!

Re: Docker - firewalld errors

Posted: 2017/11/28 19:44:44
by athaks
Same with Centos 7.4:

Code: Select all

 # systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2017-11-27 14:41:04 EET; 1 day 6h ago
     Docs: man:firewalld(1)
 Main PID: 543 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─543 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Nov 28 21:36:27 firewalld[543]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Nov 28 21:36:27 firewalld[543]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Nov 28 21:36:27 firewalld[543]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8' failed: iptables: No chain/target/match by that name.
Nov 28 21:36:27 firewalld[543]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed: iptables: No chain/target/match by that name.
Nov 28 21:36:27 firewalld[543]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Nov 28 21:36:27 firewalld[543]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Nov 28 21:36:27 firewalld[543]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Nov 28 21:36:27 firewalld[543]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Nov 28 21:36:27  firewalld[543]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Nov 28 21:36:27 firewalld[543]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed: iptables: No chain/target/match by that name.

Re: Docker - firewalld errors

Posted: 2017/12/03 19:58:02
by zendx
CentOS 7.4.1708
Freshly installed & updated.
Docker 1.12.6-61.git85d7426.el7.centos (also tried 17.06.0-ce).
After starting docker service, in firewalld logs:

Code: Select all

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -F DOCKER' failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -n -L DOCKER' failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -n -L DOCKER' failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -n -L DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited