Port proxy intercepts *all* connections, not just from localhost

[mpetazzoni]

It appears that since 0.6.5 and the introduction of the links feature the port proxy that replaces NAT and iptables port forwarding for container port bindings intercepts all connections, even those made from outside the host machine.

I would also like this issue to raise some concerns about this port proxying, mainly for the two following reasons:

1. Firstly, my understand is that this proxying is done in user-space but is not zero-copy. The performance impacts of this can be huge, yet this behavior is not documented anywhere.
2. Secondly, and most importantly, doing port proxying changes the semantics of the listening port. Normally, if the service is not running nothing listens on the port and any connection attempt will fail with a Connection refused error. With the proxy, the connection succeeds before being closed. This prevents mechanisms like port pinging for service monitoring from working properly.

Tagging @jpetazzo and @shykes with which I raised the issue on #docker.

[mpetazzoni]

This was probably the breaking change: #1435

[jpetazzo]

Nah, #1435 is unrelated; it just extends the userland proxy, but doesn't affect the iptables forwarding.

Forwarding rules were setup by iptablesForward.

Now it's Chain.Forward, itself called from PortMapper.Map.

I suggest to sprinkle some debug code around here and check if mapper.iptables could be nil or something like that...

[jpetazzo]

After investigating a bit more:

• the iptables rule in the DOCKER chain has 0.0.0.0 as the destination IP address; so it is never matched (it should be 0.0.0.0/0 to match)
• this is because the Forward method in iptables.go takes an IP address (to be used as the destination) and passes it "as is" to iptables
• ... and by default, this IP address with be 0.0.0.0

I believe that we need some code somewhere to replace 0.0.0.0 with 0.0.0.0/0; maybe in iptables.go.

/cc @crosbymichael

[mpetazzoni]

Here's a patch that solves the problem. There's probably a cleaner way of doing it though, so I'll leave it up to you guys to see how you want to integrate this:

diff --git a/iptables/iptables.go b/iptables/iptables.go
index 82ecf8b..1f8c7eb 100644
--- a/iptables/iptables.go
+++ b/iptables/iptables.go
@@ -55,9 +55,13 @@ func RemoveExistingChain(name string) error {
 }

 func (c *Chain) Forward(action Action, ip net.IP, port int, proto, dest_addr string, dest_port int) error {
+       destination := ip.String()
+       if destination == "0.0.0.0" {
+               destination = "0.0.0.0/0"
+       }
        if output, err := Raw("-t", "nat", fmt.Sprint(action), c.Name,
                "-p", proto,
-               "-d", ip.String(),
+               "-d", destination,
                "--dport", strconv.Itoa(port),
                "!", "-i", c.Bridge,
                "-j", "DNAT",