[Bug] System - The Port Forwarding Feature of the Firewall Module (ufw) Incorrectly Handles Traffic from Within Docker.

[AnxysUaen]

Contact Information

Anxys@outlook.com

1Panel Version

Community v1.10.32

Problem Description

In the current version, if OpenResty is started to listen on port 8443 and port forwarding is configured to redirect port 443 to 8443, accessing any HTTPS website on the internet from within Docker will be forwarded to the host machine's OpenResty, which is unexpected.
If this is a feature rather than a bug, it is hoped that a switch for "whether to exclude traffic from Docker" can be added to the port forwarding functionality.

Steps to Reproduce

1. Start OpenResty and have it listen on port 8443.
2. Configure port forwarding from port 443 to port 8443.
3. Add a container, access its terminal, and use curl to request https://www.xx.com

The expected correct result

In this scenario, the curl request from within the container to the external HTTPS website will be unexpectedly forwarded to the host's OpenResty service listening on port 8443.

Related log output

Additional Information

No response

[wanghe-fit2cloud]

感谢反馈。上述现象是由于 ufw 的端口转发规则会同时作用在 Docker 容器的出站流量上，所以容器访问外部 HTTPS 时也被重定向到了宿主机。

目前你可以通过在宿主机添加一条 iptables 规则，手动排除 Docker 子网的流量来解决，例如：

# 假设 Docker 默认网桥是 172.17.0.0/16
iptables -t nat -I PREROUTING -s 172.17.0.0/16 -j RETURN

这样容器内部的请求就不会再命中端口转发规则了。

后续我们也会评估在端口转发功能中增加“排除 Docker 流量”的选项，来避免类似问题。

[AnxysUaen]

tks

感谢反馈。上述现象是由于 ufw 的端口转发规则会同时作用在 Docker 容器的出站流量上，所以容器访问外部 HTTPS 时也被重定向到了宿主机。

目前你可以通过在宿主机添加一条 iptables 规则，手动排除 Docker 子网的流量来解决，例如：

# 假设 Docker 默认网桥是 172.17.0.0/16
iptables -t nat -I PREROUTING -s 172.17.0.0/16 -j RETURN

这样容器内部的请求就不会再命中端口转发规则了。

后续我们也会评估在端口转发功能中增加“排除 Docker 流量”的选项，来避免类似问题。

[wanghe-fit2cloud]

v2.0.12 版本已发布。