Skip to content

libnetwork/d/{bridge,overlay}: fix firewalld reload handling#50443

Merged
vvoland merged 11 commits intomoby:masterfrom
corhere:fix-firewalld-reload
Jul 24, 2025
Merged

libnetwork/d/{bridge,overlay}: fix firewalld reload handling#50443
vvoland merged 11 commits intomoby:masterfrom
corhere:fix-firewalld-reload

Conversation

@corhere
Copy link
Contributor

@corhere corhere commented Jul 17, 2025
edited
Loading

- What I did

On firewalld reload, all of Docker's iptables rules are removed. Docker notices the reload and restores the rules, but some of the rules are not restored. Correct those oversights.

- How I did it

Reapply endpoint iptables rules for bridge networks on firewalld reload

On firewalld reload, walk over current networks and ask them to restore their per-endpoint iptables rules.

Restore ingress iptables rules in swarm mode

The Ingress rules for Docker Services in a Swarm mode are also not restored after firewalld reload and services become unreachable. On firewalld reload, walk over current service binding and ask them to restore iptables.

- How to verify it

In a swarm mode create a service:

docker swarm init
docker network create -d overlay n0
docker service create --name nginx --publish target=80,published=80 --replicas=1 --network n0 nginx

Store the output of iptables-save and ip6tables-save.

Reload firewalld, systemctl reload firewalld.

Compare the output of iptables-save with the originals. The order of some rules may change, because rules for the networks/container are unlikely to be restored in the order they were originally created in. There shouldn't be any other differences.

- Human readable description for the release notes

- Fix Swarm services becoming unreachable from published ports after a firewalld reload.

- A picture of a cute animal (not mandatory but encouraged)

@corhere corhere added this to the 29.0.0 milestone Jul 17, 2025
@corhere corhere changed the title Fix firewalld reload libnetwork/d/{bridge,overlay}: fix firewalld reload handling Jul 17, 2025
@corhere corhere mentioned this pull request Jul 17, 2025
Merged
@corhere corhere force-pushed the fix-firewalld-reload branch from 558ef89 to ede323f Compare July 17, 2025 22:38
robmry and others added 10 commits July 23, 2025 14:01
@robmry @corhere
bridge: Trigger firewalld reload during bridge integration tests
6d457d9 
Make sure iptables rules are restored properly once firewalld
has deleted them.

Signed-off-by: Rob Murray <rob.murray@docker.com>
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov @corhere
bridge: Reapply endpoint iptables rules on firewalld reload
0739307 
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov @corhere
libnetwork: extract creation/initiation of INGRESS-DOCKER chains in s…
752758a 
…eparate function

Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov @corhere
libnetwork: extract programIngressPorts steps in a separate functions
51ed289 
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov @corhere
libnetwork: extract plumpIngressProxy steps in a separate function
c2e2e7f 
- Extract plumpIngressProxy steps in a separate function
- Don't create a new listener if there's already one in ingressProxyTbl

Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov @corhere
libnetwork: refactor iptable functions to include table parameter for…
19a8083 
… improved rule management

Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov @corhere
libnetwork: refactor rule management to use Ensure method for Append …
262c325 
…and Insert operations

Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov @corhere
libnetwork: add FlushChain methods for improved iptables management
4f0485e 
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov @corhere
libnetwork: refactor ingress chain management for improved rule handl…
50e6f4c 
…ing and initialization

Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@aepifanov @corhere
libnetwork: split programIngress() and dependent functions on Add and…
8b208f1 
… Del functions

- refactor programIngressPorts to use Rule.Insert/Append/Delete for improved rule management
- split programIngress() and dependent functions on Add and Del functions

Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@corhere corhere force-pushed the fix-firewalld-reload branch from ede323f to 846c2ad Compare July 23, 2025 18:06
@aepifanov @corhere
overlay: Reload Ingress iptables rules in swarm mode
a1f68bf 
- Implement firewalld reload handling for Ingress rules restoration
- Add TestRestoreIngressRulesOnFirewalldReload() integration test

Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
@corhere corhere force-pushed the fix-firewalld-reload branch from 846c2ad to a1f68bf Compare July 23, 2025 19:52
@vvoland vvoland merged commit 6cea771 into moby:master Jul 24, 2025
208 of 209 checks passed
@robmry robmry mentioned this pull request Jul 24, 2025
Merged
@corhere corhere deleted the fix-firewalld-reload branch July 24, 2025 16:14
@dmcgowan dmcgowan mentioned this pull request Aug 6, 2025
Closed
@dmcgowan dmcgowan mentioned this pull request Sep 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akerouanton akerouanton akerouanton approved these changes

@vvoland vvoland vvoland approved these changes

@robmry robmry robmry approved these changes

@thaJeztah thaJeztah Awaiting requested review from thaJeztah

Assignees

No one assigned

Labels

area/networking/d/bridge Networking area/networking/d/overlay Networking area/networking/firewalld Networking impact/changelog kind/bugfix PR's that fix bugs process/cherry-pick/25.0 release-blocker PRs we want to block a release on

Projects

None yet

Milestone

29.0.0

Development

Successfully merging this pull request may close these issues.

5 participants

@corhere @akerouanton @vvoland @robmry @aepifanov