You are not logged in.

Pages: 1

#1 2020-09-25 18:01:07

r0l1
Member
Registered: 2018-07-13
Posts: 5

Wrong Wiki Entry: Docker & Nftables [Security]

I just stumbled over the following wiki entry: https://wiki.archlinux.org/index.php/Nf … ith_Docker

Using nftables can interfere with Docker networking (and probably other container runtimes as well). In particular the drop policy for the forward chain will block packets originating in docker containers. If you want to keep the forward rule in your inet table, you can use the following:

[...]

This works by marking packets if docker is active, and accepting the packets in this case, since docker has already filtered them (the forward chain defined by docker uses a drop policy).

However this is not correct. The default policy is accept and testing this on my local setup invalidates all my previously set forward rules. That's quite dangerous...

Here is the default firewall entry added by docker:

table ip filter {
	chain DOCKER-USER {
		meta mark set 0x00000001
		counter packets 628 bytes 101202 return
	}

	chain INPUT {
		type filter hook input priority filter; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		counter packets 628 bytes 101202 jump DOCKER-USER
		counter packets 628 bytes 101202 jump DOCKER-ISOLATION-STAGE-1
		oifname "docker0" # xt_conntrack counter packets 0 bytes 0 accept
		oifname "docker0" counter packets 0 bytes 0 jump DOCKER
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
		iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;
	}

	chain DOCKER {
	}

	chain DOCKER-ISOLATION-STAGE-1 {
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
		counter packets 628 bytes 101202 return
	}

	chain DOCKER-ISOLATION-STAGE-2 {
		oifname "docker0" counter packets 0 bytes 0 drop
		counter packets 0 bytes 0 return
	}
}

Any ideas how to proceed? Delete the wiki entry?

Offline

#2 2020-09-25 18:21:06

Zod
Member
From: Hoosiertucky
Registered: 2019-03-10
Posts: 634

Re: Wrong Wiki Entry: Docker & Nftables [Security]

?
https://wiki.archlinux.org/index.php/Help:Editing

Offline

#3 2020-09-25 18:43:24

r0l1
Member
Registered: 2018-07-13
Posts: 5

Re: Wrong Wiki Entry: Docker & Nftables [Security]

I know how to edit the wiki, but maybe somebody has an idea how to fix this issue nicely. Once fixed, I'll update the wiki entry wink

Offline

Pages: 1

Board footer

Powered by FluxBB