Disabling ICC on internal network does not work

[duffsterlp]

Description

I am trying to understand how to limit communication between Docker containers on the same network. Disabling ICC in the daemon, disabling IP forwarding, flushing the forward chain on the host's iptables and dropping all forwarded packets, and disabling ICC in the network doesn't prevent this. The issue that I see is that pings still propagate from one container to another when both containers are attached to a custom bridge network.

Steps to reproduce the issue:

1. Flush forwarding chain of iptables on host and setting it to drop all packets
2. Start docker daemon with ICC set to false and IP forwarding set to false
3. Create custom bridge network with ICC disabled and which is an internal network
4. Spawn 2 containers attached to the custom network
5. Ping from one hostname to the other

Describe the results you received:
Pings are oddly successful between the containers.

Describe the results you expected:
Pings should not go through because ICC is disabled on the network.

Additional information you deem important (e.g. issue happens only occasionally):
I'm really just trying to understand what these different options should do and whether they are behaving as expected. In addition, I am trying to understand why the packets aren't hitting the host's iptables.

I did see this issue:
#21990
but it only seemed to apply for the ICC flag in the daemon whereas I'm also considering the ICC flag in the network as well.

Output of docker version:

Client:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:
 OS/Arch:      linux/amd64

Output of docker info:

Containers: 2
 Running: 2
 Paused: 0
 Stopped: 0
Images: 7
Server Version: 1.12.1
Storage Driver: devicemapper
 Pool Name: docker-253:1-394705729-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 460.3 MB
 Data Space Total: 107.4 GB
 Data Space Available: 88.94 GB
 Metadata Space Used: 958.5 kB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.147 GB
 Thin Pool Minimum Free Space: 10.74 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.107-RHEL7 (2016-06-09)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: null bridge host overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp
Kernel Version: 3.10.0-229.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.797 GiB
Name: glenntest.novalocal
ID: G37T:BQMP:MOF5:NI5M:CEWW:XLFG:OWIX:5ZZN:QQXF:BTCX:PAZP:RO5D
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: IPv4 forwarding is disabled
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
 127.0.0.0/8

Additional environment details (AWS, VirtualBox, physical, etc.): Seen on openstack instance as well as a vSphere virtual machine

[thaJeztah]

I think this is by design; if you add containers to a custom network, you basically tell docker to allow them to communicate with each other.

ping @mavenugo PTAL

[aboch]

@duffsterlp
The daemon networking flags have only effect on the default bridge network.
To affect the respecitve icc driver specific flag for bridge driver networks (so for user created bridge networks) you would do:

docker network create --opt com.docker.network.bridge.enable_icc=false nw

I verified two containers on such created network cannot communicate with each other.

But it looks like you found another issue, which is the above is no longer true if the network is also created as internal. Is that correct ?

[duffsterlp]

@aboch Yes, I see the exact same behavior.

No internal: Pings do not work since an iptables rule is added to drop packets going in and out of the same bridge interface.
Internal: Pings work as no such iptables rule is added to the forwarding chain.

[duffsterlp]

It is also worth mentioning the reason why packets were not hitting the host's iptables to begin with:
moby/libnetwork#1104
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables since this is disabled on CentOS by default.

[aboch]

Thanks @duffsterlp

Given we verified the icc flag to restrict inter-container communications on custom networks works, I'd suggest to either close this issue and open a new one for the unsupported combination of --internal & --opt com.docker.network.bridge.enable_icc=false options, or to modify the title of this issue.

[duffsterlp]

@aboch I have another interesting behavior that I'd like to confirm.

When I start the instance with firewalld enabled, containers can ping each other on the same network with enable_icc=false even with the internal flag not specified. This is because firewalld sets up a rule to accept RELATED and ESTABLISHED packets before the DROP rule set up by bridge.enable_icc=false. ICMP replies are considered RELATED within iptables.

Is this desired behavior?

[aboch]

@duffsterlp

Is this desired behavior?

No

[duffsterlp]

@aboch Thanks for the succinct answer. :)
Is this a separate bug that I should file?

[aboch]

@duffsterlp

Is this a separate bug that I should file?

Yes, please. Thanks.