Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Favoring "iptables-legacy" on Debian Sid causes iptables rules inconsistency #2331

Open
TheCatFelix opened this issue Jan 23, 2019 · 4 comments
Open

Favoring "iptables-legacy" on Debian Sid causes iptables rules inconsistency #2331

TheCatFelix opened this issue Jan 23, 2019 · 4 comments

Comments

@TheCatFelix
Copy link

Description of Issue/Question

Debian Sid (Unstable) uses iptables-nft by default now to provide /sbin/iptables and still provides a /usr/sbin/iptables-legacy for compatibility.
Recent change in docker package that was released into Debian Sid on 1/17/2019 forces docker to favor iptables-legacy binary over the "default" iptables.
This causes "normal" iptables rules to show up under iptables -S and docker’s rules only under iptables-legacy -S

Specific impact in my setup was inconsistent iptables configuration and the docker container could not initiate outgoing connections any more.

Setup

I recently upgraded docker package in Debian:

  • from: docker.io 18.06.1+dfsg1-2
  • to docker.io 18.06.1+dfsg1-3

Which on the Debian side has the following change log:
https://tracker.debian.org/news/1021701/accepted-dockerio-18061dfsg1-3-source-all-amd64-into-unstable/

Which seems to introduce the following docker commit:
7da66ee#diff-b90cadcd0928c1e490272f4761a52bac

Checking in the Debian source repo confirms the suspicion:
docker.io 18.06.1+dfsg1-2 https://sources.debian.org/src/docker.io/18.06.1+dfsg1-2/libnetwork/iptables/iptables.go/

  • does not contain the commit

docker.io 18.06.1+dfsg1-3 https://sources.debian.org/src/docker.io/18.06.1+dfsg1-3/libnetwork/iptables/iptables.go/

  • contains the commit in line 90

Workaround

When forcing the system to default to iptables-legacy, all rules will show up under iptables-legacy. In my case, the container was then able to initiate outgoing connections again

update-alternatives --set iptables /usr/sbin/iptables-legacy

Logs and other Evidence

18.06.1+dfsg1-2:

  • Iptables-nft is the default
  • All rules show up under iptables -S (observe custom rule -A INPUT -s 15.15.15.51 -j DROP)
root@debian:/home/test# dpkg -l |grep docker.io
ii  docker.io                        18.06.1+dfsg1-2              amd64        Linux container runtime
ii  python3-docker                   3.4.1-4                      all          Python 3 wrapper to access docker.io's control socket
root@debian:/home/test# /sbin/iptables -A INPUT -s 15.15.15.51 -j DROP
root@debian:/home/test# /sbin/iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-USER
-N DOCKER-ISOLATION-STAGE-2
-A INPUT -s 15.15.15.51/32 -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8200 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-USER -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
root@debian:/home/test# /usr/sbin/iptables-legacy -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
root@debian:/home/test# update-alternatives --display iptables
iptables - auto mode
  link best version is /usr/sbin/iptables-nft
  link currently points to /usr/sbin/iptables-nft
  link iptables is /usr/sbin/iptables
  slave iptables-restore is /usr/sbin/iptables-restore
  slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-legacy - priority 10
  slave iptables-restore: /usr/sbin/iptables-legacy-restore
  slave iptables-save: /usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft - priority 20
  slave iptables-restore: /usr/sbin/iptables-nft-restore
  slave iptables-save: /usr/sbin/iptables-nft-save
root@debian:/home/test#

18.06.1+dfsg1-3:

  • Iptables-nft is the default
  • Custom rules show up only under iptables -S (observe custom rule -A INPUT -s 15.15.15.51 -j DROP)
  • Docker rules show up only under iptables-legacy -S
root@debian:/home/test# dpkg -l |grep docker.io
ii  docker.io                        18.06.1+dfsg1-3              amd64        Linux container runtime
ii  python3-docker                   3.4.1-4                      all          Python 3 wrapper to access docker.io's control socket
root@debian:/home/test# /sbin/iptables -A INPUT -s 15.15.15.51 -j DROP
root@debian:/home/test# /sbin/iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 15.15.15.51/32 -j DROP
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@debian:/home/test# /usr/sbin/iptables-legacy -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8200 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
root@debian:/home/test# update-alternatives --display iptables
iptables - auto mode
  link best version is /usr/sbin/iptables-nft
  link currently points to /usr/sbin/iptables-nft
  link iptables is /usr/sbin/iptables
  slave iptables-restore is /usr/sbin/iptables-restore
  slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-legacy - priority 10
  slave iptables-restore: /usr/sbin/iptables-legacy-restore
  slave iptables-save: /usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft - priority 20
  slave iptables-restore: /usr/sbin/iptables-nft-restore
  slave iptables-save: /usr/sbin/iptables-nft-save
root@debian:/home/test#
@UncleRaymondo UncleRaymondo mentioned this issue Apr 1, 2019
Closed
@racke
Copy link

racke commented Apr 26, 2019

Same thing happened to be. Workaround alleviates the problem.

@vespian
Copy link

vespian commented Jul 29, 2019

+1

1 similar comment
@qingling128
Copy link

+1

@pmahoney pmahoney mentioned this issue Nov 21, 2019
Closed
@erik-wramner erik-wramner mentioned this issue Jan 6, 2020
Closed
@hwdsl2 hwdsl2 mentioned this issue May 4, 2020
Closed
hwdsl2 added a commit to hwdsl2/docker-ipsec-vpn-server that referenced this issue May 10, 2020
@hwdsl2
Upgrade to Debian 10
af301a9 
- Debian 10 has xl2tpd 1.3.12, manual compilation is no longer needed
- Workaround added to fix IPTables issues under docker-compose
  "update-alternatives --set iptables /usr/sbin/iptables-legacy"
- References: #186
  https://wiki.debian.org/nftables
  k3s-io/k3s#1114
  moby/libnetwork#2331
hwdsl2 added a commit to hwdsl2/docker-ipsec-vpn-server that referenced this issue May 10, 2020
@hwdsl2
Upgrade to Debian 10
36ecad1 
- Debian 10 has xl2tpd 1.3.12, manual compilation is no longer needed
- Workaround added to fix IPTables issues under docker-compose
  References: #186
  https://wiki.debian.org/nftables
  k3s-io/k3s#1114
  moby/libnetwork#2331
hwdsl2 added a commit to hwdsl2/docker-ipsec-vpn-server that referenced this issue May 10, 2020
@hwdsl2
Upgrade to Debian 10
d452653 
- Debian 10 has xl2tpd 1.3.12, manual compilation is no longer needed
- Workaround added to fix IPTables issues under docker-compose
  References: #186
  https://wiki.debian.org/nftables
  k3s-io/k3s#1114
  moby/libnetwork#2331
@artfulrobot
Copy link

Related firehol/firehol#422

usmcfiredog added a commit to usmcfiredog/docker-ipsec-vpn-server that referenced this issue Sep 20, 2020
@usmcfiredog
Upgrade to Debian 10
20fa852 
- Debian 10 has xl2tpd 1.3.12, manual compilation is no longer needed
- Workaround added to fix IPTables issues under docker-compose
  References: hwdsl2#186
  https://wiki.debian.org/nftables
  k3s-io/k3s#1114
  moby/libnetwork#2331
mbarnes added a commit to mbarnes/osmc-ansible that referenced this issue Oct 20, 2020
@mbarnes
Update Docker package list for Debian Buster
cd752a7 
Per https://docs.docker.com/engine/install/debian/#install-using-the-repository

Also, a workaround is necessary to address
moby/libnetwork#2331
mbarnes added a commit to mbarnes/osmc-ansible that referenced this issue Nov 8, 2020
@mbarnes
Update Docker package list for Debian Buster
59530ff 
Per https://docs.docker.com/engine/install/debian/#install-using-the-repository

Also, a workaround is necessary to address
moby/libnetwork#2331
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@racke @artfulrobot @vespian @qingling128 @TheCatFelix