Issues between docker and firewalld/iptables

Question

OpenSUSE 15.3 user here. I broke the default rules created by docker on iptables and can't figure out how to repair this. I tried reinstalling docker already. Here is what happens:

vm-dev:~ # systemctl start docker

vm-dev:~ # tail /var/log/messages | grep firewalld
2022-04-21T00:53:25.607359-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
2022-04-21T00:53:25.610567-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2022-04-21T00:53:25.614009-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2022-04-21T00:53:25.646315-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
2022-04-21T00:53:25.649905-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
2022-04-21T00:53:25.705446-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
2022-04-21T00:53:25.890988-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

Then, everytime I do firewall-cmd --reload, I get:

2022-04-21T00:53:35.536326-04:00 vm-dev firewalld[19494]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

Here is some additional info from the comments:

vm-dev:~ # iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Some additionnal info requested by @4snok:

vm-dev:~ # find /etc/firewalld/ -name "*.xml"
/etc/firewalld/lockdown-whitelist.xml
/etc/firewalld/zones/public.xml
/etc/firewalld/zones/trusted.xml
/etc/firewalld/zones/docker.xml

vm-dev:~ # cat /etc/firewalld/zones/docker.xml
<?xml version="1.0" encoding="utf-8"?>
<zone version="1.0" target="ACCEPT">
  <short>docker</short>
  <description>zone for docker bridge network interfaces</description>
  <interface name="docker0"/>
</zone>

I have no docker currently running. In fact, I uninstalled docker, deleted /var/lib/docker completely, then reinstalled and the errors are still present. The docker0 interface is in the docker zone in firewalld. I don't see anything special in there. What do I need to do to fix these errors? Any help would be appreciated.

From the first error, do you have a chain in iptables called DOCKER? `iptables -t nat --list` should show it when run with `sudo`. If it's not there you can try adding it with `iptables -t nat -N DOCKER` and trying again. — Stephan Pieterse, Apr 21 '22 at 07:52
@StephanPieterse `DOCKER` is there, I added the output to the main post. — dan, Apr 22 '22 at 01:26
What failures are you experiencing? Those are warnings, and I'd question if warning is probably a bit too excessive for that log message. Info would probably be more appropriate. — BMitch, Apr 25 '22 at 00:02
The warnings weren't there after a fresh install. I'm not experiencing any failures however, just warnings in logs that are monitored by Nagios... — dan, Apr 25 '22 at 21:53
D F & X flags remove rules. Essentially docker is trying to delete nonexistent rules :) — 4snok, Apr 29 '22 at 16:27
@4snok this is when the docker service is launched, or whenever the firewall is reloaded. What do I have to edit in firewalld to prevent it trying to delete a rule when it is reloaded? — dan, Apr 30 '22 at 07:07
check this file /etc/firewalld/direct.xml, it should contain your problem rules. — 4snok, Apr 30 '22 at 12:00
if it's a dev server, you can remove this file and reinstall docker — 4snok, Apr 30 '22 at 12:01
@4snok I edited my original message with the content of /etc/firewalld/, there is no direct.xml. I also tried deleting docker.xml but that didn't help either. — dan, May 01 '22 at 01:03

Issues between docker and firewalld/iptables

0 Answers0