Skip to content

Add option --bridge-accept-fwmark#50476

Merged
robmry merged 1 commit intomoby:masterfrom
robmry:bridge-accept-fw-mark
Jul 23, 2025
Merged

Add option --bridge-accept-fwmark#50476
robmry merged 1 commit intomoby:masterfrom
robmry:bridge-accept-fw-mark

Conversation

@robmry
Copy link
Contributor

@robmry robmry commented Jul 22, 2025
edited
Loading

- What I did

For iptables, users can add an ACCEPT rule to the DOCKER-USER chain - and that rule is final, the packet won't be processed by Docker's other filter-FORWARD rules - so it can be used to skip checks for published ports etc.

With nftables, there's no equivalent to the call to DOCKER-USER chain embedded in Docker's own base chain ... Docker expects to own the whole table, rules added by users to chains in that table will not be preserved. Users can add rules to chains in their own tables, where they can manipulate and drop packets before or after they're processed by Docker's rules.

However, an "accept" in one nftables chain is only an accept in the base chain that called the rule. So, if Docker's base chain drops the packet, it'll still do that (regardless of the order in which chains are processed) ... meaning there's no way for a user-managed table to override Docker's "drop".

So, make it possible to configure the daemon with a firewall mark/mask that results in an early "accept" in Docker's filter-FORWARD chain.

(It's possible mark/marks will need to be configurable per-network rather than per-daemon. It can be extended to that if a requirement emerges.)

The format of the option must be as follows, the usual base markers are accepted (including 0x and 0o):

  • <mark> - the exact 32-bit unsigned integer mark value to match, or
  • <mark>/<mask> - the packet's mark is masked, then matched against the given mark.

Will need to update the CLI's docs/reference/dockerd.md when this is merged.

- How I did it

Add daemon option --bridge-accept-fwmark.

Packets with the given firewall mark/mask are accepted by the bridge driver's filter-FORWARD rules.

The value can either be an integer mark, or it can include a mask in the format <mark>/<mask>. Mark and mask may include a base prefix (0x1).

- How to verify it

- Human readable description for the release notes

- Add daemon option `--bridge-accept-fwmark`. Packets with this firewall mark will accepted by bridge networks, overriding Docker's iptables or nftables "drop" rules.

@robmry robmry self-assigned this Jul 22, 2025
@robmry robmry added kind/feature Functionality or other elements that the project doesn't currently have. Features are new and shiny impact/changelog area/networking/firewalling Networking area/networking/d/bridge Networking area/networking Networking labels Jul 22, 2025
@robmry robmry added this to the 29.0.0 milestone Jul 22, 2025
@robmry robmry force-pushed the bridge-accept-fw-mark branch from 1279bb9 to 76d9df0 Compare July 22, 2025 13:00
@robmry robmry marked this pull request as ready for review July 22, 2025 13:01
@robmry robmry force-pushed the bridge-accept-fw-mark branch from 76d9df0 to dc66050 Compare July 22, 2025 13:09
akerouanton
akerouanton approved these changes Jul 22, 2025
View reviewed changes
daemon/libnetwork/drivers/bridge/internal/firewaller/firewaller.go Outdated
// bridge itself). In particular, these are not external interfaces for the purpose of
// blocking direct-routing to a container's IP address.
TrustedHostInterfaces []string
// AcceptFwMark is a firewall mark/mask. Packets will this mark will not be dropped by
Copy link
Member

@akerouanton akerouanton Jul 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// AcceptFwMark is a firewall mark/mask. Packets will this mark will not be dropped by
// AcceptFwMark is a firewall mark/mask. Packets with this mark will not be dropped by

Copy link
Contributor Author

@robmry robmry Jul 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@robmry robmry force-pushed the bridge-accept-fw-mark branch from dc66050 to 5fc7253 Compare July 22, 2025 14:48
austinvazquez
austinvazquez approved these changes Jul 22, 2025
View reviewed changes
Copy link
Contributor

@austinvazquez austinvazquez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, very well written I had just one question for my own learning. :)

@robmry
Add option --bridge-accept-fwmark
cf1695b 
Packets with the given firewall mark are accepted by the bridge
driver's filter-FORWARD rules.

The value can either be an integer mark, or it can include a
mask in the format "<mark>/<mask>".

Signed-off-by: Rob Murray <rob.murray@docker.com>
@robmry robmry force-pushed the bridge-accept-fw-mark branch from 5fc7253 to cf1695b Compare July 22, 2025 18:17
@robmry
Copy link
Contributor Author

robmry commented Jul 22, 2025

Updated:

  • The option validation now uses ParseUint instead of ParseInt.
  • In the iptabler/nftabler, the values are converted to decimal (because ParseUint accepts more integer formats than iptables/nftables).

@robmry robmry merged commit b0c22a9 into moby:master Jul 23, 2025
179 checks passed
@robmry robmry mentioned this pull request Jul 31, 2025
Merged
@dmcgowan dmcgowan mentioned this pull request Aug 6, 2025
Closed
@dmcgowan dmcgowan mentioned this pull request Sep 5, 2025
Merged
@lmdc45 lmdc45 mentioned this pull request Nov 13, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akerouanton akerouanton akerouanton approved these changes

@austinvazquez austinvazquez austinvazquez approved these changes

@corhere corhere Awaiting requested review from corhere

@dmcgowan dmcgowan Awaiting requested review from dmcgowan

@vvoland vvoland Awaiting requested review from vvoland

Assignees

@robmry robmry

Labels

area/networking/d/bridge Networking area/networking/firewalling Networking area/networking Networking docs/revisit impact/changelog kind/feature Functionality or other elements that the project doesn't currently have. Features are new and shiny

Projects

None yet

Milestone

29.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@robmry @akerouanton @austinvazquez @vvoland