Skip to content

Commit 0546d90

Browse files
robmryrobmry
committed
Routed networks accept traffic from anywhere.
Create ipsets containing the subnet of each non-internal bridge network. Signed-off-by: Rob Murray <[email protected]>
1 parent 1033805 commit 0546d90

16 files changed

+298
-214
lines changed

integration/network/bridge/iptablesdoc/generated/new-daemon.md

Lines changed: 19 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,9 @@ Table `filter`:
1111
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
1212
num pkts bytes target prot opt in out source destination
1313
1 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
14-
2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
15-
3 0 0 ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
16-
4 0 0 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
14+
2 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
15+
3 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
16+
4 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
1717
5 0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
1818
6 0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
1919

@@ -48,9 +48,9 @@ Table `filter`:
4848
-N DOCKER-ISOLATION-STAGE-2
4949
-N DOCKER-USER
5050
-A FORWARD -j DOCKER-USER
51+
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
5152
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
52-
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
53-
-A FORWARD -o docker0 -j DOCKER
53+
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
5454
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
5555
-A FORWARD -i docker0 -o docker0 -j ACCEPT
5656
-A DOCKER ! -i docker0 -o docker0 -j DROP
@@ -78,17 +78,19 @@ The FORWARD chain rules are numbered in the output above, they are:
7878
Docker won't add rules to the DOCKER-USER chain, it's only for user-defined rules.
7979
It's (mostly) kept at the top of the by deleting it and re-creating after each
8080
new network is created, while traffic may be running for other networks.
81-
2. Unconditional jump to DOCKER-ISOLATION-STAGE-1.
82-
Set up during network creation by [setupIPTables][11], which ensures it appears
81+
2. Early ACCEPT for any RELATED,ESTABLISHED traffic to a docker bridge. This rule
82+
matches against an `ipset` called `docker-ext-bridges-v4` (`v6` for IPv6). The
83+
set contains the CIDR address of each docker network, and it is updated as networks
84+
are created and deleted.
85+
So, this rule could be set up during bridge driver initialisation. But, it is
86+
currently set up when a network is created, in [setupIPTables][11].
87+
3. Unconditional jump to DOCKER-ISOLATION-STAGE-1.
88+
Set up during network creation by [setupIPTables][12], which ensures it appears
8389
after the jump to DOCKER-USER (by deleting it and re-creating, while traffic
8490
may be running for other networks).
85-
3. ACCEPT RELATED,ESTABLISHED packets into a specific bridge network.
86-
Allows responses to outgoing requests, and continuation of incoming requests,
87-
without needing to process any further rules.
88-
This rule is also added during network creation, but the code to do it
89-
is in libnetwork, [ProgramChain][12].
90-
4. Jump to DOCKER, for any packet destined for a bridge network. Added when
91-
the network is created, in [ProgramChain][13] ("filterChain" is the DOCKER chain).
91+
4. Jump to DOCKER, for any packet destined for any bridge network, identified by
92+
matching against the `docker-ext-bridge-v[46]` set. Added when the network is
93+
created, in [setupIPTables][13].
9294
The DOCKER chain implements per-port/protocol filtering for each container.
9395
5. ACCEPT any packet leaving a network, also set up when the network is created, in
9496
[setupIPTablesInternal][14].
@@ -97,9 +99,9 @@ The FORWARD chain rules are numbered in the output above, they are:
9799
[setIcc][15].
98100

99101
[10]: https://github.com/moby/moby/blob/e05848c0025b67a16aaafa8cdff95d5e2c064105/libnetwork/firewall_linux.go#L50
100-
[11]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L201
101-
[12]: https://github.com/moby/moby/blob/e05848c0025b67a16aaafa8cdff95d5e2c064105/libnetwork/iptables/iptables.go#L270
102-
[13]: https://github.com/moby/moby/blob/e05848c0025b67a16aaafa8cdff95d5e2c064105/libnetwork/iptables/iptables.go#L251-L255
102+
[11]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L230-L232
103+
[12]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L227-L229
104+
[13]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L223-L226
103105
[14]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L264
104106
[15]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L343
105107

integration/network/bridge/iptablesdoc/generated/usernet-internal.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,10 @@ The filter table is updated as follows:
1616
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
1717
num pkts bytes target prot opt in out source destination
1818
1 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
19-
2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
20-
3 0 0 ACCEPT 0 -- bridge1 bridge1 0.0.0.0/0 0.0.0.0/0
21-
4 0 0 ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
22-
5 0 0 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
19+
2 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
20+
3 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
21+
4 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
22+
5 0 0 ACCEPT 0 -- bridge1 bridge1 0.0.0.0/0 0.0.0.0/0
2323
6 0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
2424
7 0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
2525

@@ -56,10 +56,10 @@ The filter table is updated as follows:
5656
-N DOCKER-ISOLATION-STAGE-2
5757
-N DOCKER-USER
5858
-A FORWARD -j DOCKER-USER
59+
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
5960
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
61+
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
6062
-A FORWARD -i bridge1 -o bridge1 -j ACCEPT
61-
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
62-
-A FORWARD -o docker0 -j DOCKER
6363
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
6464
-A FORWARD -i docker0 -o docker0 -j ACCEPT
6565
-A DOCKER ! -i docker0 -o docker0 -j DROP

integration/network/bridge/iptablesdoc/generated/usernet-portmap-noicc.md

Lines changed: 13 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -16,29 +16,27 @@ The filter table is:
1616
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
1717
num pkts bytes target prot opt in out source destination
1818
1 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
19-
2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
20-
3 0 0 ACCEPT 0 -- * bridge1 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
21-
4 0 0 DOCKER 0 -- * bridge1 0.0.0.0/0 0.0.0.0/0
19+
2 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
20+
3 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
21+
4 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
2222
5 0 0 ACCEPT 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0
23-
6 0 0 ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
24-
7 0 0 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
25-
8 0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
26-
9 0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
27-
10 0 0 DROP 0 -- bridge1 bridge1 0.0.0.0/0 0.0.0.0/0
23+
6 0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
24+
7 0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
25+
8 0 0 DROP 0 -- bridge1 bridge1 0.0.0.0/0 0.0.0.0/0
2826

2927
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
3028
num pkts bytes target prot opt in out source destination
3129

32-
Chain DOCKER (2 references)
30+
Chain DOCKER (1 references)
3331
num pkts bytes target prot opt in out source destination
3432
1 0 0 ACCEPT 6 -- !bridge1 bridge1 0.0.0.0/0 192.0.2.2 tcp dpt:80
3533
2 0 0 DROP 0 -- !docker0 docker0 0.0.0.0/0 0.0.0.0/0
3634
3 0 0 DROP 0 -- !bridge1 bridge1 0.0.0.0/0 0.0.0.0/0
3735

3836
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
3937
num pkts bytes target prot opt in out source destination
40-
1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0
41-
2 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
38+
1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
39+
2 0 0 DOCKER-ISOLATION-STAGE-2 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0
4240

4341
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
4442
num pkts bytes target prot opt in out source destination
@@ -61,20 +59,18 @@ The filter table is:
6159
-N DOCKER-ISOLATION-STAGE-2
6260
-N DOCKER-USER
6361
-A FORWARD -j DOCKER-USER
62+
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
6463
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
65-
-A FORWARD -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
66-
-A FORWARD -o bridge1 -j DOCKER
64+
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
6765
-A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
68-
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
69-
-A FORWARD -o docker0 -j DOCKER
7066
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
7167
-A FORWARD -i docker0 -o docker0 -j ACCEPT
7268
-A FORWARD -i bridge1 -o bridge1 -j DROP
7369
-A DOCKER -d 192.0.2.2/32 ! -i bridge1 -o bridge1 -p tcp -m tcp --dport 80 -j ACCEPT
7470
-A DOCKER ! -i docker0 -o docker0 -j DROP
7571
-A DOCKER ! -i bridge1 -o bridge1 -j DROP
76-
-A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
7772
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
73+
-A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
7874
-A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
7975
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
8076
-A DOCKER-USER -j RETURN
@@ -84,7 +80,7 @@ The filter table is:
8480

8581
By comparison with [ICC=true][1]:
8682

87-
- Rule 10 in the FORWARD chain replaces an ACCEPT rule that would have followed rule 5, matching the same packets.
83+
- Rule 8 in the FORWARD chain replaces an ACCEPT rule that would have followed rule 5, matching the same packets.
8884
- Added in [setIcc][2]
8985

9086
[1]: usernet-portmap.md

integration/network/bridge/iptablesdoc/generated/usernet-portmap-noproxy.md

Lines changed: 11 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -19,29 +19,27 @@ The filter table is the same as with the userland proxy enabled.
1919
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
2020
num pkts bytes target prot opt in out source destination
2121
1 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
22-
2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
23-
3 0 0 ACCEPT 0 -- * bridge1 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
24-
4 0 0 DOCKER 0 -- * bridge1 0.0.0.0/0 0.0.0.0/0
22+
2 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
23+
3 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
24+
4 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
2525
5 0 0 ACCEPT 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0
2626
6 0 0 ACCEPT 0 -- bridge1 bridge1 0.0.0.0/0 0.0.0.0/0
27-
7 0 0 ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
28-
8 0 0 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
29-
9 0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
30-
10 0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
27+
7 0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
28+
8 0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
3129

3230
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
3331
num pkts bytes target prot opt in out source destination
3432

35-
Chain DOCKER (2 references)
33+
Chain DOCKER (1 references)
3634
num pkts bytes target prot opt in out source destination
3735
1 0 0 ACCEPT 6 -- !bridge1 bridge1 0.0.0.0/0 192.0.2.2 tcp dpt:80
3836
2 0 0 DROP 0 -- !docker0 docker0 0.0.0.0/0 0.0.0.0/0
3937
3 0 0 DROP 0 -- !bridge1 bridge1 0.0.0.0/0 0.0.0.0/0
4038

4139
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
4240
num pkts bytes target prot opt in out source destination
43-
1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0
44-
2 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
41+
1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
42+
2 0 0 DOCKER-ISOLATION-STAGE-2 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0
4543

4644
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
4745
num pkts bytes target prot opt in out source destination
@@ -61,20 +59,18 @@ The filter table is the same as with the userland proxy enabled.
6159
-N DOCKER-ISOLATION-STAGE-2
6260
-N DOCKER-USER
6361
-A FORWARD -j DOCKER-USER
62+
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
6463
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
65-
-A FORWARD -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
66-
-A FORWARD -o bridge1 -j DOCKER
64+
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
6765
-A FORWARD -i bridge1 ! -o bridge1 -j ACCEPT
6866
-A FORWARD -i bridge1 -o bridge1 -j ACCEPT
69-
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
70-
-A FORWARD -o docker0 -j DOCKER
7167
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
7268
-A FORWARD -i docker0 -o docker0 -j ACCEPT
7369
-A DOCKER -d 192.0.2.2/32 ! -i bridge1 -o bridge1 -p tcp -m tcp --dport 80 -j ACCEPT
7470
-A DOCKER ! -i docker0 -o docker0 -j DROP
7571
-A DOCKER ! -i bridge1 -o bridge1 -j DROP
76-
-A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
7772
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
73+
-A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
7874
-A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP
7975
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
8076
-A DOCKER-USER -j RETURN

0 commit comments

Comments
 (0)