Error from whalewall: field dst_ports not found in type whalewall.ruleConfig

[ksylvan]

I'm trying to get whalewall to work in a Mailu installation, so I'm starting by getting the basic setup working first.

This is my Docker compose for whalewall:

name: whalewall
services:
  whalewall:
    cap_add:
      - NET_ADMIN
    image: ghcr.io/capnspacehook/whalewall:0.2.3
    restart: unless-stopped
    network_mode: host
    volumes:
      - whalewall_data:/data
      - /var/run/docker.sock:/var/run/docker.sock:ro

volumes:
  whalewall_data:

When I start it, here's what I see:

$ docker compose up -d
[+] Running 1/1
 ✔ Container whalewall-whalewall-1  Started                                                                                                                                                                                    0.2s 

$ docker compose logs -f
whalewall-1  | {"level":"info","time":"2024-11-25T05:08:13.274718515Z","msg":"applied landlock rules"}
whalewall-1  | {"level":"info","time":"2024-11-25T05:08:13.27546873Z","msg":"applied seccomp filters","syscalls.allowed":48}
whalewall-1  | {"level":"info","time":"2024-11-25T05:08:13.275487146Z","msg":"starting whalewall","version":"v0.2.3","commit":"ad75afd9b6d35bb52e2859560d5d5777394ad696"}

So far so good.

Now, here is the (minimally edited) miniflux setup from the documentation:

name: miniflux
services:
  miniflux:
    depends_on:
      - miniflux_db
    environment:
      - DATABASE_URL=postgres://miniflux:secret@miniflux_db/miniflux?sslmode=disable
      - RUN_MIGRATIONS=1
      - CREATE_ADMIN=1
      - ADMIN_USERNAME=admin
      - ADMIN_PASSWORD=password
    image: miniflux/miniflux:latest
    restart: unless-stopped
    labels:
      whalewall.enabled: true
      whalewall.rules: |
        mapped_ports:
          # allow traffic to port 80 from localhost
          localhost:
            allow: true
          # allow traffic to port 80 from LAN
          external:
            allow: true
        output:
          # allow postgres connections
          - network: default
            container: miniflux_db
            proto: tcp
            dst_ports:
              - 5432
          # allow DNS requests
          - log_prefix: "dns"
            proto: udp
            dst_ports:
              - 53
          # allow HTTPS requests
          - log_prefix: "https"
            proto: tcp
            dst_ports:
              - 443
    ports:
      - "80:8080/tcp"

  miniflux_db:
    environment:
      - POSTGRES_USER=miniflux
      - POSTGRES_PASSWORD=secret
    image: postgres:alpine
    labels:
      # no rules specified, drop all traffic
      whalewall.enabled: true

And when I start it, I see this:

$ docker compose up
[+] Running 2/0
 ✔ Container miniflux-miniflux_db-1  Created                                                              0.0s 
 ✔ Container miniflux-miniflux-1     Created                                                              0.0s 
Attaching to miniflux-1, miniflux_db-1
miniflux_db-1  | 
miniflux_db-1  | PostgreSQL Database directory appears to contain a database; Skipping initialization
miniflux_db-1  | 
miniflux_db-1  | 2024-11-25 05:12:56.561 UTC [1] LOG:  starting PostgreSQL 17.2 on x86_64-pc-linux-musl, compiled by gcc (Alpine 13.2.1_git20240309) 13.2.1 20240309, 64-bit
miniflux_db-1  | 2024-11-25 05:12:56.561 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
miniflux_db-1  | 2024-11-25 05:12:56.561 UTC [1] LOG:  listening on IPv6 address "::", port 5432
miniflux_db-1  | 2024-11-25 05:12:56.563 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
miniflux_db-1  | 2024-11-25 05:12:56.567 UTC [30] LOG:  database system was shut down at 2024-11-25 04:55:47 UTC
miniflux_db-1  | 2024-11-25 05:12:56.574 UTC [1] LOG:  database system is ready to accept connections
miniflux-1     | level=INFO msg="Running database migrations" current_version=99 latest_version=99
miniflux-1     | level=INFO msg="Skipping admin user creation because it already exists" username=admin
miniflux-1     | level=INFO msg="Starting HTTP server" listen_address=0.0.0.0:8080

And in the whalewall logs, I see:

whalewall-1  | {"level":"info","time":"2024-11-25T05:50:54.596273117Z","msg":"creating rules","container.id":"34dfd786b144","container.name":"miniflux-miniflux_db-1"}
whalewall-1  | {"level":"info","time":"2024-11-25T05:50:54.791476058Z","msg":"creating rules","container.id":"20d0726b23d3","container.name":"miniflux-miniflux-1"}
whalewall-1  | {"level":"error","time":"2024-11-25T05:50:54.791668709Z","msg":"error creating rules","container.id":"20d0726b23d3","container.name":"miniflux-miniflux-1","error":"error parsing rules: yaml: unmarshal errors:\n  line 13: field dst_ports not found in type whalewall.ruleConfig\n  line 18: field dst_ports not found in type whalewall.ruleConfig\n  line 23: field dst_ports not found in type whalewall.ruleConfig","stacktrace":"github.com/capnspacehook/whalewall.(*RuleManager).createRules\n\tgithub.com/capnspacehook/whalewall/create.go:64\ngithub.com/capnspacehook/whalewall.(*RuleManager).Start.func1\n\tgithub.com/capnspacehook/whalewall/manager.go:112"}

What do the parsing errors mean?

The container seems to work as expected.

[ksylvan]

This was related to my using the "master" branch README instructions while using the v0.2.3 tagged container image.

@capnspacehook can we please get an updated image with the new syntax, also including the dependabot fix PRs?