Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libnetwork forces iptables on all bridges system-wide #47127

Open
tomkcook opened this issue Dec 3, 2019 · 3 comments · May be fixed by moby/libnetwork#2497
Open

libnetwork forces iptables on all bridges system-wide #47127

tomkcook opened this issue Dec 3, 2019 · 3 comments · May be fixed by moby/libnetwork#2497
Labels
area/networking/d/bridge kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed.

Comments

@tomkcook
Copy link

tomkcook commented Dec 3, 2019
edited
Loading

libnetwork uses the br-netfilter module to allow filtering of packets passing through a bridge. To do so, it sets /proc/sys/net/bridge/bridge-nf-call-ip[6]tables to 1, forcing iptables for every bridge on the system, whether this is desired or not. This overrides anything set in /etc/sysctl.conf.

This is not Friendly Behaviour. iptables can be enabled per-bridge, by instead setting /sys/class/net/<bridge-name>/bridge/nf_call_ip[6]tables. Note that it cannot be disabled per-bridge when it is enabled system-wide, only enabled per-bridge when it is disabled system-wide. libnetwork should only enable iptables for the bridges it is managing.

See drivers/bridge/setup_bridgenetfiltering.go:71.
@arkodg
Copy link
Contributor

arkodg commented Jan 3, 2020

@tomkcook thanks for highlighting this issue, looks like this API can be extended to receive the bridge interface and only enable filtering per bridge - https://github.com/docker/libnetwork/blob/feeff4f0a3fd2a2bb19cf67c826082c66ffaaed9/drivers/bridge/setup_bridgenetfiltering.go#L111

@tomkcook tomkcook linked a pull request Jan 7, 2020 that will close this issue
Open
@tomkcook
Copy link
Author

tomkcook commented Jan 7, 2020

Note that, while IMO the change I have proposed is correct, it is not benign and still represents a significant change in behaviour. This is because, with the old behaviour, if any network configured by docker had EnableICC set to false (and docker_gwbridge is configured in this way), then all bridges on the system would have netfilter/iptables enabled, whether they had EnableICC set or not. Note that --icc on the dockerd commandline defaults to true and so by default docker0 has EnableICC set to true.

This means that the default configuration will change from both docker_gwbridge and docker0 having iptables enabled to docker_gwbridge having iptables enabled and docker0 not having iptables enabled.

@arkodg
Copy link
Contributor

arkodg commented Jan 7, 2020

good catch, I don't think this check is relevant anymore
https://github.com/docker/libnetwork/blob/feeff4f0a3fd2a2bb19cf67c826082c66ffaaed9/drivers/bridge/bridge.go#L727
and the dependency on config.EnableICC should be removed since we rely on iptables for so much more than just restricting inter container communication

@corhere corhere transferred this issue from moby/libnetwork Jan 19, 2024
@corhere corhere added kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. area/networking/d/bridge labels Jan 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking/d/bridge kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Limited bridge netfilter application. tomkcook/libnetwork
3 participants
@corhere @tomkcook @arkodg