Anonymous | Login | 2024-10-05 06:57 MDT |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0021871 | ClearCenter | clearglass-community | public | 2018-10-18 12:27 | 2021-11-12 09:00 | ||||
Reporter | NickH | ||||||||
Assigned To | NickH | ||||||||
Priority | normal | Severity | major | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 7.5.0 Updates | ||||||||
Target Version | 7.5.0 Updates | Fixed in Version | 7.5.0 Updates | ||||||
Summary | 0021871: The br-??? interface changes every time ClearGLASS restarts making the firewall rules obsolete | ||||||||
Description | Each time ClearGLASS restarts, either using the Start/Stop button or Dave's systemd unit file, the br-??? interface name changes but the firewall rules don't regenerate with the new interface names. This means there will be no firewall rules running on the new ClearGLASS instance. For any running instance of ClearGLASS the interface can be derived from: echo "br-`docker inspect "clearglass_ui_1" --format '{{ .NetworkSettings.Networks.clearglass_default.NetworkID }}' | cut -c1-12`" You can use any of the ClearGLASS containers. They all produce the same result. In theory you can probably leave the old rules in place and it won't harm. Otherwise, if you are using Dave's systemd method, you can read the interface before stopping ClearGLASS and export the name with "systemctl set-environment" with an ExecStopPre, then run an ExecStopPost to delete the old rules and an ExecStartPre to add in the new rules. (if you are not worried about dropping the firewall rules fractionally before ClearGLASS stops, it can all be done with an ExecStopPre) There may be a small delay after starting ClearGLASS for the interface to become available as my echo command once produced just "br-". This would need to be tested for. As an additional comment, based on the current rules, only two would be needed in the FORWARD chain as three of the current ones are redundant. Chain FORWARD (policy DROP 10 packets, 648 bytes) num pkts bytes target prot opt in out source destination 7 21406 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state 16 0 0 DOCKER all -- * br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0 17 0 0 ACCEPT all -- * br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 18 0 0 ACCEPT all -- br-4a1b2686ea6d !br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0 19 0 0 ACCEPT all -- br-4a1b2686ea6d br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0 21 0 0 ACCEPT all -- br-4a1b2686ea6d * 0.0.0.0/0 0.0.0.0/0 can be replaced with just: Chain FORWARD (policy DROP 10 packets, 648 bytes) num pkts bytes target prot opt in out source destination 7 21406 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state 16 0 0 DOCKER all -- * br-4a1b2686ea6d 0.0.0.0/0 0.0.0.0/0 21 0 0 ACCEPT all -- br-4a1b2686ea6d * 0.0.0.0/0 0.0.0.0/0 Note rule 7 is not a ClearGLASS rule. It is one of the base rules. I've just left it there because shows that rule 17 is redundant. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Issue History | |||
Date Modified | Username | Field | Change |
2018-10-18 12:27 | NickH | New Issue | |
2018-10-18 12:30 | user2 | Status | new => confirmed |
2018-12-14 12:39 | dloper | Target Version | => 7.5.0 Updates |
2019-02-01 12:34 | NickH | Category | app-clearglass - ClearGLASS Engine => clearglass-community |
2019-02-01 12:34 | NickH | Status | confirmed => resolved |
2019-02-01 12:34 | NickH | Fixed in Version | => 7.5.0 Updates |
2019-02-01 12:34 | NickH | Resolution | open => fixed |
2019-02-01 12:34 | NickH | Assigned To | => NickH |
2021-11-12 09:00 | NickH | Status | resolved => closed |