Skip to content

Remove dependency on the filter-FORWARD policy#48724

Merged
robmry merged 3 commits intomoby:masterfrom
robmry:no_dependency_on_filter_forward_policy
Oct 23, 2024
Merged

Remove dependency on the filter-FORWARD policy#48724
robmry merged 3 commits intomoby:masterfrom
robmry:no_dependency_on_filter_forward_policy

Conversation

@robmry
Copy link
Contributor

@robmry robmry commented Oct 22, 2024

- What I did

There are rules in the iptables DOCKER chain accept packets routed to published container ports/protocols.

Until now, there has not been any DROP rule for un-published ports/protocols. So, if the filter-FORWARD chain's default policy was ACCEPT, there was no per-port/proctocol filtering for packets routed directly to the container's address. (A remote host with a route to the container's network, via the docker host, could access any port. And, for IPv4, docker only sets the filter-FORWARD policy to DROP if it enables IP forwarding itself.)

This PR removes the dependency on the filter-FORWARD policy.

(Docs impact - need to improve description of gateway modes, as per changelog comment, various other PRs will also feed in to this.)

- How I did it

Add rules to the DOCKER chain to explicitly drop packets routed to docker bridge networks, when the packet hasn't been ACCEPTed by a rule for an open port/protocol.

Allow ICMP in gateway-mode routed, because it would previously have been allowed in nat mode with a default policy of ACCEPT (for IPv4), and it may be needed for IPv6 connectivity.

- How to verify it

New integration test.

- Description for the changelog

- Docker no longer depends on the iptables filter-FORWARD chain's default policy being `DROP`
  in order to restrict access to unpublished container ports from remote hosts.
  - Direct routed access to container ports that are not exposed using `-p`/`--publish` is now blocked
     in the `DOCKER` chain.
  - If the default filter-FORWARD policy was previously left at `ACCEPT` on your host, and direct routed
    access to a container's unpublished ports from a remote host is still required, options are:
    - Publish the ports you need.
    - Re-create the network with `--gateway_mode_ipv4=routed` and/or `--gateway_mode_ipv6=routed`.
      - No NAT rules will be set up to map host addresses/ports to containers, but published ports will
        be accessible from remote hosts if routing has been set up in the network.
    - **FIXME** - mention `nat-unprotected`, to be implemented in an upcoming PR.
  - Container ports that are published to host addresses will continue to be accessible via those host
    addresses, using NAT or the userland proxy.
  - Unpublished container ports continue to be directly accessible from the docker host via the
    container's IP address.

@robmry robmry added kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. area/networking Networking impact/changelog impact/documentation area/networking/firewalling Networking area/networking/d/bridge Networking area/networking/portmapping Networking labels Oct 22, 2024
@robmry robmry added this to the 28.0.0 milestone Oct 22, 2024
@robmry robmry self-assigned this Oct 22, 2024
@robmry robmry requested a review from akerouanton October 22, 2024 13:53
@robmry robmry mentioned this pull request Oct 22, 2024
Merged
@robmry robmry mentioned this pull request Oct 23, 2024
Merged
laurazard
laurazard approved these changes Oct 23, 2024
View reviewed changes
Copy link
Member

@laurazard laurazard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@robmry robmry merged commit 87365d9 into moby:master Oct 23, 2024
@robmry robmry deleted the no_dependency_on_filter_forward_policy branch October 23, 2024 17:48
@robmry robmry mentioned this pull request Nov 4, 2024
Closed
11 tasks
@lcruz99 lcruz99 mentioned this pull request Apr 30, 2025
Merged
3 tasks
@robmry robmry mentioned this pull request May 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akerouanton akerouanton akerouanton approved these changes

@laurazard laurazard laurazard approved these changes

Assignees

@robmry robmry

Labels

area/networking/d/bridge Networking area/networking/firewalling Networking area/networking/portmapping Networking area/networking Networking impact/changelog impact/documentation kind/enhancement Enhancements are not bugs or new features but can improve usability or performance.

Projects

None yet

Milestone

28.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@robmry @akerouanton @laurazard