Docker now masks access to /proc/timer_list, which means that the file is VISIBLE, but is not accessible - see https://github.com/moby/moby/pull/25630
This causes this to happen:
root@lxc-01:~# lxc launch c7 centos7-test Creating centos7-test Starting centos7-test root@lxc-01:~# lxc exec centos7-test bash [root@centos7-test ~]# ls -al /proc/timer_list -r-------- 1 65534 65534 0 Mar 3 21:10 /proc/timer_list [root@centos7-test ~]# id uid=0(root) gid=0(root) groups=0(root) [root@centos7-test ~]# cat /proc/timer_list cat: /proc/timer_list: Permission denied [root@centos7-test ~]#
The current test in firewall only tests if the file exists, not if the file contains valid information.
This simply requires the exception be changed to a 'return 0' (this is a single line change)
I have created and signed a test package as proof that this works, which is attached. This is NOT the final result, as the times are still off, and the Ratelimit vs Blocked page is not accurate, because firewall can't tell how old the packets are, but this at least solves the primary issue of the status page crashing.