Skip to content

Remove dependency on the filter-FORWARD policy #48724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
robmry merged 3 commits into from
Oct 23, 2024
Merged

Remove dependency on the filter-FORWARD policy #48724

robmry merged 3 commits into from
Oct 23, 2024

Conversation

@robmry
Copy link
Contributor

@robmry robmry commented Oct 22, 2024

- What I did

There are rules in the iptables DOCKER chain accept packets routed to published container ports/protocols.

Until now, there has not been any DROP rule for un-published ports/protocols. So, if the filter-FORWARD chain's default policy was ACCEPT, there was no per-port/proctocol filtering for packets routed directly to the container's address. (A remote host with a route to the container's network, via the docker host, could access any port. And, for IPv4, docker only sets the filter-FORWARD policy to DROP if it enables IP forwarding itself.)

This PR removes the dependency on the filter-FORWARD policy.

(Docs impact - need to improve description of gateway modes, as per changelog comment, various other PRs will also feed in to this.)

- How I did it

Add rules to the DOCKER chain to explicitly drop packets routed to docker bridge networks, when the packet hasn't been ACCEPTed by a rule for an open port/protocol.

Allow ICMP in gateway-mode routed, because it would previously have been allowed in nat mode with a default policy of ACCEPT (for IPv4), and it may be needed for IPv6 connectivity.

- How to verify it

New integration test.

- Description for the changelog

- Docker no longer depends on the iptables filter-FORWARD chain's default policy being `DROP`
  in order to restrict access to unpublished container ports from remote hosts.
  - Direct routed access to container ports that are not exposed using `-p`/`--publish` is now blocked
     in the `DOCKER` chain.
  - If the default filter-FORWARD policy was previously left at `ACCEPT` on your host, and direct routed
    access to a container's unpublished ports from a remote host is still required, options are:
    - Publish the ports you need.
    - Re-create the network with `--gateway_mode_ipv4=routed` and/or `--gateway_mode_ipv6=routed`.
      - No NAT rules will be set up to map host addresses/ports to containers, but published ports will
        be accessible from remote hosts if routing has been set up in the network.
    - **FIXME** - mention `nat-unprotected`, to be implemented in an upcoming PR.
  - Container ports that are published to host addresses will continue to be accessible via those host
    addresses, using NAT or the userland proxy.
  - Unpublished container ports continue to be directly accessible from the docker host via the
    container's IP address.

robmry added 3 commits October 22, 2024 14:38
@robmry
Allow ICMP in routed mode
6634fc5 
Signed-off-by: Rob Murray <rob.murray@docker.com>
@robmry
Explicitly DROP packets for ports/protos that aren't mapped.
c9fdeaf 
Signed-off-by: Rob Murray <rob.murray@docker.com>
@robmry
Add TestDirectRoutingOpenPorts
aba8df7 
Signed-off-by: Rob Murray <rob.murray@docker.com>
@robmry robmry added kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. area/networking Networking impact/changelog impact/documentation area/networking/firewalling Networking area/networking/d/bridge Networking area/networking/portmapping Networking labels Oct 22, 2024
@robmry robmry added this to the 28.0.0 milestone Oct 22, 2024
@robmry robmry self-assigned this Oct 22, 2024
@robmry robmry requested a review from akerouanton October 22, 2024 13:53
@robmry robmry mentioned this pull request Oct 22, 2024
Merged
@robmry robmry mentioned this pull request Oct 23, 2024
Merged
laurazard
laurazard approved these changes Oct 23, 2024
View reviewed changes
Copy link
Member

@laurazard laurazard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@robmry robmry merged commit 87365d9 into moby:master Oct 23, 2024
@robmry robmry deleted the no_dependency_on_filter_forward_policy branch October 23, 2024 17:48
@robmry robmry mentioned this pull request Nov 4, 2024
Closed
11 tasks
@lcruz99 lcruz99 mentioned this pull request Apr 30, 2025
Merged
3 tasks
@robmry robmry mentioned this pull request May 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akerouanton akerouanton akerouanton approved these changes

@laurazard laurazard laurazard approved these changes

Assignees

@robmry robmry

Labels

area/networking/d/bridge Networking area/networking/firewalling Networking area/networking/portmapping Networking area/networking Networking impact/changelog impact/documentation kind/enhancement Enhancements are not bugs or new features but can improve usability or performance.

Projects

None yet

Milestone

28.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@robmry @akerouanton @laurazard