libnetwork/d/{bridge,overlay}: fix firewalld reload handling #50443
+409
−184
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
558ef89 to
ede323f
Compare
robmry
approved these changes
Jul 18, 2025
Make sure iptables rules are restored properly once firewalld has deleted them. Signed-off-by: Rob Murray <rob.murray@docker.com> Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
…eparate function Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
- Extract plumpIngressProxy steps in a separate function - Don't create a new listener if there's already one in ingressProxyTbl Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
… improved rule management Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
…and Insert operations Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
…ing and initialization Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
… Del functions - refactor programIngressPorts to use Rule.Insert/Append/Delete for improved rule management - split programIngress() and dependent functions on Add and Del functions Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
ede323f to
846c2ad
Compare
- Implement firewalld reload handling for Ingress rules restoration - Add TestRestoreIngressRulesOnFirewalldReload() integration test Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
846c2ad to
a1f68bf
Compare
akerouanton
approved these changes
Jul 24, 2025
vvoland
approved these changes
Jul 24, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
On firewalld reload, all of Docker's iptables rules are removed. Docker notices the reload and restores the rules, but some of the rules are not restored. Correct those oversights.
- How I did it
Reapply endpoint iptables rules for bridge networks on firewalld reload
On firewalld reload, walk over current networks and ask them to restore their per-endpoint iptables rules.
Restore ingress iptables rules in swarm mode
The Ingress rules for Docker Services in a Swarm mode are also not restored after firewalld reload and services become unreachable. On firewalld reload, walk over current service binding and ask them to restore iptables.
- How to verify it
In a swarm mode create a service:
Store the output of
iptables-saveandip6tables-save.Reload firewalld,
systemctl reload firewalld.Compare the output of
iptables-savewith the originals. The order of some rules may change, because rules for the networks/container are unlikely to be restored in the order they were originally created in. There shouldn't be any other differences.- Human readable description for the release notes
- Fix Swarm services becoming unreachable from published ports after a firewalld reload.- A picture of a cute animal (not mandatory but encouraged)