ClearFoundation Tracker - ClearCenter
View Issue Details
0021871ClearCenterclearglass-communitypublic2018-10-18 12:272021-11-12 09:00
NickH 
NickH 
normalmajoralways
closedfixed 
7.5.0 Updates 
7.5.0 Updates7.5.0 Updates 
0021871: The br-??? interface changes every time ClearGLASS restarts making the firewall rules obsolete
Each time ClearGLASS restarts, either using the Start/Stop button or Dave's systemd unit file, the br-??? interface name changes but the firewall rules don't regenerate with the new interface names. This means there will be no firewall rules running on the new ClearGLASS instance.

For any running instance of ClearGLASS the interface can be derived from:
echo "br-`docker inspect "clearglass_ui_1" --format '{{ .NetworkSettings.Networks.clearglass_default.NetworkID }}' | cut -c1-12`"

You can use any of the ClearGLASS containers. They all produce the same result.

In theory you can probably leave the old rules in place and it won't harm. Otherwise, if you are using Dave's systemd method, you can read the interface before stopping ClearGLASS and export the name with "systemctl set-environment" with an ExecStopPre, then run an ExecStopPost to delete the old rules and an ExecStartPre to add in the new rules. (if you are not worried about dropping the firewall rules fractionally before ClearGLASS stops, it can all be done with an ExecStopPre)
There may be a small delay after starting ClearGLASS for the interface to become available as my echo command once produced just "br-". This would need to be tested for.

As an additional comment, based on the current rules, only two would be needed in the FORWARD chain as three of the current ones are redundant.

Chain FORWARD (policy DROP 10 packets, 648 bytes)
num pkts bytes target prot opt in out source destination
7 21406 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state
16 0 0 DOCKER all -- * br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0
17 0 0 ACCEPT all -- * br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
18 0 0 ACCEPT all -- br-4a1b2686ea6d !br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0
19 0 0 ACCEPT all -- br-4a1b2686ea6d br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0
21 0 0 ACCEPT all -- br-4a1b2686ea6d * 0.0.0.0/0 0.0.0.0/0

can be replaced with just:
Chain FORWARD (policy DROP 10 packets, 648 bytes)
num pkts bytes target prot opt in out source destination
7 21406 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state
16 0 0 DOCKER all -- * br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0
21 0 0 ACCEPT all -- br-4a1b2686ea6d * 0.0.0.0/0 0.0.0.0/0

Note rule 7 is not a ClearGLASS rule. It is one of the base rules. I've just left it there because shows that rule 17 is redundant.
No tags attached.
Issue History
2018-10-18 12:27NickHNew Issue
2018-10-18 12:30user2Statusnew => confirmed
2018-12-14 12:39dloperTarget Version => 7.5.0 Updates
2019-02-01 12:34NickHCategoryapp-clearglass - ClearGLASS Engine => clearglass-community
2019-02-01 12:34NickHStatusconfirmed => resolved
2019-02-01 12:34NickHFixed in Version => 7.5.0 Updates
2019-02-01 12:34NickHResolutionopen => fixed
2019-02-01 12:34NickHAssigned To => NickH
2021-11-12 09:00NickHStatusresolved => closed

There are no notes attached to this issue.