firewalld COMMAND_FAILED warnings

[cyphar]

Since #2548, we see firewalld warnings in systemd logs when Docker starts up. When we tried backporting #2548 these warnings resulted in fatal errors:

Dec 27 21:36:06.507740 susetest firewalld[578]: ERROR: INVALID_ZONE: docker
Dec 27 21:36:07.514557 susetest dockerd[9386]: failed to start daemon: Error initializing network controller: Error creating default "bridge" network: Failed to program NAT chain: INVALID_ZONE: docker

But on upstream Docker (20.03.x) these warnings are just warnings. Though it still seems to me that they should be fixed. The warnings from firewalld are:

Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: Too many links.
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: Too many links.
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:42 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

And here are the interspersed dockerd and firewalld logs to lend some more context:

docker --debug + journald logs

Feb 16 13:32:40 yavin systemd[1]: Starting Docker Application Container Engine...
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.756951533+11:00" level=debug msg="Listener created for HTTP on unix (/var/run/docker.sock)"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.756998891+11:00" level=debug msg="Containerd not running, starting daemon managed containerd"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.757824812+11:00" level=info msg="libcontainerd: started new containerd process" pid=24466
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.757860262+11:00" level=info msg="parsed scheme: \"unix\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.757869327+11:00" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.757886879+11:00" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.757902266+11:00" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.877477165+11:00" level=info msg="starting containerd" revision=269548fa27e0089a8b8278fc4fc781d7f65a939b version=v1.4.3
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.899733737+11:00" level=info msg="loading plugin \"io.containerd.content.v1.content\"..." type=io.containerd.content.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.899826476+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.aufs\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.902777808+11:00" level=info msg="skip loading plugin \"io.containerd.snapshotter.v1.aufs\"..." error="aufs is not supported (modprobe aufs failed: exit status 1 \"modprobe: FATAL: Module aufs not found in directory /lib/modules/5.10.9-1-default\\n\"): skip plugin" type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.902803810+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.btrfs\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903108730+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.devmapper\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903131386+11:00" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.devmapper" error="devmapper not configured"
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903142245+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.native\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903169040+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.overlayfs\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903246596+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.zfs\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903469539+11:00" level=info msg="skip loading plugin \"io.containerd.snapshotter.v1.zfs\"..." error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter: skip plugin" type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903487259+11:00" level=info msg="loading plugin \"io.containerd.metadata.v1.bolt\"..." type=io.containerd.metadata.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903507475+11:00" level=warning msg="could not use snapshotter devmapper in metadata plugin" error="devmapper not configured"
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903520669+11:00" level=info msg="metadata content store policy set" policy=shared
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903748336+11:00" level=info msg="loading plugin \"io.containerd.differ.v1.walking\"..." type=io.containerd.differ.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903768727+11:00" level=info msg="loading plugin \"io.containerd.gc.v1.scheduler\"..." type=io.containerd.gc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903795253+11:00" level=info msg="loading plugin \"io.containerd.service.v1.introspection-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903820228+11:00" level=info msg="loading plugin \"io.containerd.service.v1.containers-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903832810+11:00" level=info msg="loading plugin \"io.containerd.service.v1.content-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903852524+11:00" level=info msg="loading plugin \"io.containerd.service.v1.diff-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903867079+11:00" level=info msg="loading plugin \"io.containerd.service.v1.images-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903892733+11:00" level=info msg="loading plugin \"io.containerd.service.v1.leases-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903916480+11:00" level=info msg="loading plugin \"io.containerd.service.v1.namespaces-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903942722+11:00" level=info msg="loading plugin \"io.containerd.service.v1.snapshots-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903963616+11:00" level=info msg="loading plugin \"io.containerd.runtime.v1.linux\"..." type=io.containerd.runtime.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904048780+11:00" level=info msg="loading plugin \"io.containerd.runtime.v2.task\"..." type=io.containerd.runtime.v2
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904118328+11:00" level=info msg="loading plugin \"io.containerd.monitor.v1.cgroups\"..." type=io.containerd.monitor.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904619202+11:00" level=info msg="loading plugin \"io.containerd.service.v1.tasks-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904675871+11:00" level=info msg="loading plugin \"io.containerd.internal.v1.restart\"..." type=io.containerd.internal.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904753110+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.containers\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904780176+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.content\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904808448+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.diff\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904830764+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.events\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904853917+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.healthcheck\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904879318+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.images\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904901956+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.leases\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904923817+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.namespaces\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904946515+11:00" level=info msg="loading plugin \"io.containerd.internal.v1.opt\"..." type=io.containerd.internal.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905025208+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.snapshots\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905054432+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.tasks\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905078001+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.version\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905099835+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.introspection\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905396943+11:00" level=info msg=serving... address=/var/run/docker/containerd/containerd-debug.sock
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905466872+11:00" level=info msg=serving... address=/var/run/docker/containerd/containerd.sock.ttrpc
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905523914+11:00" level=info msg=serving... address=/var/run/docker/containerd/containerd.sock
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905548031+11:00" level=debug msg="sd notification" error="<nil>" notified=false state="READY=1"
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905567978+11:00" level=info msg="containerd successfully booted in 0.028977s"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.911080679+11:00" level=debug msg="Created containerd monitoring client" address=/var/run/docker/containerd/containerd.sock
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.911880777+11:00" level=debug msg="Started daemon managed containerd"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.912668425+11:00" level=debug msg="Golang's threads limit set to 114210"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943271082+11:00" level=info msg="parsed scheme: \"unix\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943291154+11:00" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943307112+11:00" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943318849+11:00" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943361377+11:00" level=debug msg="metrics API listening on /var/run/docker/metrics.sock"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943954766+11:00" level=info msg="parsed scheme: \"unix\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943983660+11:00" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.944010627+11:00" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.944032252+11:00" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.944603422+11:00" level=debug msg="processing event stream" module=libcontainerd namespace=plugins.moby
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.944879944+11:00" level=debug msg="Using default logging driver json-file"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.945563193+11:00" level=debug msg="[graphdriver] priority list: [btrfs zfs overlay2 fuse-overlayfs aufs overlay devicemapper vfs]"
Feb 16 13:32:41 yavin dockerd[24466]: time="2021-02-16T13:32:41.011955105+11:00" level=debug msg="garbage collected" d=7.990467ms
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.027746044+11:00" level=debug msg="backingFs=btrfs, projectQuotaSupported=false, indexOff=\"index=off,\"" storage-driver=overlay2
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.027771353+11:00" level=info msg="[graphdriver] using prior storage driver: overlay2"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.027782278+11:00" level=debug msg="Initialized graph driver overlay2"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.049447709+11:00" level=debug msg="No quota support for local volumes in /var/lib/docker/volumes: Filesystem does not support, or has not enabled quotas"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053371593+11:00" level=warning msg="Your kernel does not support CPU realtime scheduler"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053388497+11:00" level=warning msg="Your kernel does not support cgroup blkio weight"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053401423+11:00" level=warning msg="Your kernel does not support cgroup blkio weight_device"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053556959+11:00" level=debug msg="Max Concurrent Downloads: 3"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053570248+11:00" level=debug msg="Max Concurrent Uploads: 5"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053579428+11:00" level=debug msg="Max Download Attempts: 5"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053617563+11:00" level=info msg="Loading containers: start."
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053733174+11:00" level=debug msg="processing event stream" module=libcontainerd namespace=moby
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.054765661+11:00" level=debug msg="loaded container" container=58417eb92d91c241e79055257497ecfc698a1d4fc2fca7184c1f618ea740c096 paused=false running=false
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059347992+11:00" level=debug msg="restoring container" container=58417eb92d91c241e79055257497ecfc698a1d4fc2fca7184c1f618ea740c096 paused=false restarting=false running=false
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059814518+11:00" level=debug msg="alive: false" container=58417eb92d91c241e79055257497ecfc698a1d4fc2fca7184c1f618ea740c096 paused=false restarting=false running=false
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059833925+11:00" level=debug msg="done restoring container" container=58417eb92d91c241e79055257497ecfc698a1d4fc2fca7184c1f618ea740c096 paused=false restarting=false running=false
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059861384+11:00" level=debug msg="Option Experimental: false"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059868963+11:00" level=debug msg="Option DefaultDriver: bridge"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059874263+11:00" level=debug msg="Option DefaultNetwork: bridge"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059880054+11:00" level=debug msg="Network Control Plane MTU: 1500"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.096114254+11:00" level=info msg="Firewalld: docker zone already exists, returning"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.098664092+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -j DOCKER-ISOLATION]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.137759089+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.174981239+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.211084764+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.222012404+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D PREROUTING]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.227752665+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D OUTPUT]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.234227282+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -F DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.263020151+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -X DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.298971128+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -F DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.342980998+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -X DOCKER]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: Too many links.
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.348304745+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -F DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.375042082+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -X DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: Too many links.
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.380544273+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -F DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.410963023+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -X DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.451041560+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -F DOCKER-ISOLATION]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.456245288+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -X DOCKER-ISOLATION]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.461538998+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -n -L DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.468555370+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -N DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.511040407+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -n -L DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.516187725+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -n -L DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.520941320+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -n -L DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.526283422+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -N DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.550922853+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-1 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.555942443+11:00" level=debug msg="Firewalld passthrough: ipv4, [-A DOCKER-ISOLATION-STAGE-1 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.583025338+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-2 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.588973754+11:00" level=debug msg="Firewalld passthrough: ipv4, [-A DOCKER-ISOLATION-STAGE-2 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.624216219+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.630487360+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.636455114+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -I DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.667007103+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -i docker0 -o docker0 -j DROP]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.672229221+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.677165627+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.685793768+11:00" level=info msg="Firewalld: interface docker0 already part of docker zone, returning"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.685823547+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.690648734+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.723123512+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.728392284+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.773126596+11:00" level=info msg="Firewalld: interface docker0 already part of docker zone, returning"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.773161637+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.778156267+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.782754154+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.787282673+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.792100139+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.796844612+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.831119649+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.883112411+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.887994393+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -I DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.927091562+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.932163553+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -I DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.959070847+11:00" level=debug msg="Network (4c1d786) restored"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.959805622+11:00" level=debug msg="Allocating IPv4 pools for network bridge (4c1d786e65a9783b82ac8c019004b0b65bd787dec7bc96b4e028b8f1e845b0dc)"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.959822503+11:00" level=debug msg="RequestPool(LocalDefault, 172.17.0.0/16, , map[], false)"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.959845092+11:00" level=debug msg="RequestAddress(LocalDefault/172.17.0.0/16, 172.17.0.1, map[RequestAddressType:com.docker.network.gateway])"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.959861304+11:00" level=debug msg="Request address PoolID:172.17.0.0/16 App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65534, Sequence: (0x80000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0 Serial:false PrefAddress:172.17.0.1 "
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.962370447+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.967371328+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.998934258+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.004947488+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.063193783+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.069429699+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -i docker0 -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.123229994+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.129303272+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.165540012+11:00" level=debug msg="Firewalld: removing docker0 interface from docker zone"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.194606371+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.198963202+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.203656959+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.243020045+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.248269696+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.253017869+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.287026053+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.291817437+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -D DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.351090718+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.356330238+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -D DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.384595807+11:00" level=debug msg="releasing IPv4 pools from network bridge (4c1d786e65a9783b82ac8c019004b0b65bd787dec7bc96b4e028b8f1e845b0dc)"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.384620243+11:00" level=debug msg="ReleaseAddress(LocalDefault/172.17.0.0/16, 172.17.0.1)"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.384638663+11:00" level=debug msg="Released address PoolID:LocalDefault/172.17.0.0/16, Address:172.17.0.1 Sequence:App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65533, Sequence: (0xc0000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.384653136+11:00" level=debug msg="ReleasePool(LocalDefault/172.17.0.0/16)"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.386189228+11:00" level=debug msg="cleanupServiceDiscovery for network:4c1d786e65a9783b82ac8c019004b0b65bd787dec7bc96b4e028b8f1e845b0dc"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.386202775+11:00" level=debug msg="cleanupServiceBindings for 4c1d786e65a9783b82ac8c019004b0b65bd787dec7bc96b4e028b8f1e845b0dc"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.389878763+11:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.389909067+11:00" level=debug msg="Allocating IPv4 pools for network bridge (5d1cabc379e2e9d9d41dd87d51ac6e81c5c5bfbc24ae07eeece180131d9c74e0)"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.389921254+11:00" level=debug msg="RequestPool(LocalDefault, 172.17.0.0/16, , map[], false)"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.389938806+11:00" level=debug msg="RequestAddress(LocalDefault/172.17.0.0/16, 172.17.0.1, map[RequestAddressType:com.docker.network.gateway])"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.389952897+11:00" level=debug msg="Request address PoolID:172.17.0.0/16 App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65534, Sequence: (0x80000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0 Serial:false PrefAddress:172.17.0.1 "
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.390171389+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.395159446+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -I POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.427065294+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.432027383+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -I DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.463157996+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -i docker0 -o docker0 -j DROP]"
Feb 16 13:32:42 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.468648661+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.473441683+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -i docker0 -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.506958967+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.512489182+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.541222469+11:00" level=debug msg="Firewalld: adding docker0 interface to docker zone"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.547675394+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.552074168+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.557091052+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.562170917+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.568754358+11:00" level=info msg="Firewalld: interface docker0 already part of docker zone, returning"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.568779276+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.572926956+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.635069835+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.640105470+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.679130317+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.683983614+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.710897861+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.750943902+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.756400008+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -I DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.794803504+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.799461615+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -I DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.837137329+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -n -L DOCKER-USER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.842284679+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-USER -j RETURN]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.846441251+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -j DOCKER-USER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.850877732+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -j DOCKER-USER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.887073285+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -j DOCKER-USER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.924160593+11:00" level=info msg="Loading containers: done."
Feb 16 13:32:43 yavin dockerd[24453]: time="2021-02-16T13:32:43.015740425+11:00" level=info msg="Docker daemon" commit=46229ca1d815 graphdriver(s)=overlay2 version=20.10.3_ce
Feb 16 13:32:43 yavin dockerd[24453]: time="2021-02-16T13:32:43.015817248+11:00" level=info msg="Daemon has completed initialization"
Feb 16 13:32:43 yavin systemd[1]: Started Docker Application Container Engine.

If you restart firewalld before starting Docker you get some extra errors:

Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.8.7 (legacy): Couldn't load target `DOCKER':No such file or directory
                                       
                                       Try `iptables -h' or 'iptables --help' for more information.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER' failed: iptables v1.8.7 (legacy): Couldn't load target `DOCKER':No such file or directory
                                       
                                       Try `iptables -h' or 'iptables --help' for more information.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.8.7 (legacy): Couldn't load target `DOCKER':No such file or directory
                                       
                                       Try `iptables -h' or 'iptables --help' for more information.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -F DOCKER' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 12 00:28:37 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

[msaimper]

Just to comment on the fact that I am experiencing a similar issue. My docker services just run fine and are visible from the outside but it seems they somehow by-pass firewalld instead of being included in it.

[XXXXX]$ sudo docker version
Client: Docker Engine - Community
 Version:           20.10.5
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        55c4c88
 Built:             Tue Mar  2 20:33:55 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.5
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       363e9a8
  Built:            Tue Mar  2 20:32:17 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[XXXXX]$ sudo systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-04-06 21:48:24 CEST; 1 day 16h ago
     Docs: man:firewalld(1)
 Main PID: 1310 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─1310 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Apr 08 12:34:23 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Apr 08 12:34:23 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Apr 08 12:34:23 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Apr 08 12:34:23 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 08 12:37:43 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker_gwbridge -o docker_gwbridge -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 08 12:37:43 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
Apr 08 12:37:43 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
Apr 08 12:38:02 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
Apr 08 12:38:22 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
Apr 08 12:38:22 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.

[XXXXX]$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

[XXXXX]$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[kiocosta]

any updates on this?

[ubaldino]

Possible solution

https://erfansahaf.medium.com/why-docker-and-firewall-dont-get-along-with-each-other-ddca7a002e10