ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0021871ClearCenterapp-clearglass - ClearGLASS Enginepublic2018-10-18 12:272018-12-14 12:39
ReporterNickH 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusconfirmedResolutionopen 
PlatformOSOS Version
Product Version7.5.0 Updates 
Target Version7.5.0 UpdatesFixed in Version 
Summary0021871: The br-??? interface changes every time ClearGLASS restarts making the firewall rules obsolete
DescriptionEach time ClearGLASS restarts, either using the Start/Stop button or Dave's systemd unit file, the br-??? interface name changes but the firewall rules don't regenerate with the new interface names. This means there will be no firewall rules running on the new ClearGLASS instance.

For any running instance of ClearGLASS the interface can be derived from:
echo "br-`docker inspect "clearglass_ui_1" --format '{{ .NetworkSettings.Networks.clearglass_default.NetworkID }}' | cut -c1-12`"

You can use any of the ClearGLASS containers. They all produce the same result.

In theory you can probably leave the old rules in place and it won't harm. Otherwise, if you are using Dave's systemd method, you can read the interface before stopping ClearGLASS and export the name with "systemctl set-environment" with an ExecStopPre, then run an ExecStopPost to delete the old rules and an ExecStartPre to add in the new rules. (if you are not worried about dropping the firewall rules fractionally before ClearGLASS stops, it can all be done with an ExecStopPre)
There may be a small delay after starting ClearGLASS for the interface to become available as my echo command once produced just "br-". This would need to be tested for.

As an additional comment, based on the current rules, only two would be needed in the FORWARD chain as three of the current ones are redundant.

Chain FORWARD (policy DROP 10 packets, 648 bytes)
num pkts bytes target prot opt in out source destination
7 21406 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state
16 0 0 DOCKER all -- * br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0
17 0 0 ACCEPT all -- * br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
18 0 0 ACCEPT all -- br-4a1b2686ea6d !br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0
19 0 0 ACCEPT all -- br-4a1b2686ea6d br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0
21 0 0 ACCEPT all -- br-4a1b2686ea6d * 0.0.0.0/0 0.0.0.0/0

can be replaced with just:
Chain FORWARD (policy DROP 10 packets, 648 bytes)
num pkts bytes target prot opt in out source destination
7 21406 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state
16 0 0 DOCKER all -- * br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0
21 0 0 ACCEPT all -- br-4a1b2686ea6d * 0.0.0.0/0 0.0.0.0/0

Note rule 7 is not a ClearGLASS rule. It is one of the base rules. I've just left it there because shows that rule 17 is redundant.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2018-10-18 12:27 NickH New Issue
2018-10-18 12:30 user2 Status new => confirmed
2018-12-14 12:39 dloper Target Version => 7.5.0 Updates