Skip to content

docker-proxy accepts connections before NAT rules are set up #47951

New issue
New issue
Closed
#48132
Closed
docker-proxy accepts connections before NAT rules are set up#47951
#48132
Assignees
robmry
Labels
area/networkingNetworkingarea/networking/portmappingNetworkingkind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.
@robmry

Description

@robmry
robmry
opened on Jun 11, 2024

Description

Tracking review comment #47871 (comment)

#47871 means the docker-proxy process is started before NAT rules are set up.

That ensures the daemon doesn't trample iptables rules for a port that's already in-use by some other process, but it leaves a window in which docker-proxy may accept connections that it would not see once the NAT rules are in place. Those connections will be doomed, and eventually reset.

From discussion in today's networking maintainers call (@corhere, @akerouanton) - the plan is to bind the socket in the daemon, to make sure it's reserved and available, set up the iptables rules, then pass the socket to a modified docker-proxy (which can start accepting connections straight away).

The dummyProxy can then be eliminated, because all it does is bind the socket.

Metadata

Metadata

Assignees

Labels

area/networkingNetworkingarea/networking/portmappingNetworkingkind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions