Add a filter chain to allow persistent rules #1675
Conversation
drivers/bridge/setup_ip_tables.go
Outdated
| @@ -13,6 +13,7 @@ import ( | |||
| const ( | |||
| DockerChain = "DOCKER" | |||
| IsolationChain = "DOCKER-ISOLATION" | |||
| fwdTopChain = "DOCKER-FORWARD-TOP" | |||
There was a problem hiding this comment.
I would call this DOCKER-USER to specify it is left to the user to manage.
There was a problem hiding this comment.
+1.
In service_linux.go:
// In the filter table FORWARD chain first rule should be to jump to INGRESS-CHAIN
|
Thanks @wenjianhn for the change. I think the new DOCKE-USER chain, not being driver specific, should be installed by the libnetwork core and not bridge driver. Can you please move the logic into controller.go at the end of |
|
@aboch Looks like we also need to use APPEND instead of INSERT when add rules in the drivers. https://github.com/wenjianhn/libnetwork/tree/draft/docker-user-chain |
|
For that, you would call in |
|
@aboch The CI failed. It doesn't seem to be related to my changes. |
those are the reason for the failure. Please add the comments. |
iptables/iptables.go
Outdated
| return nil | ||
| } | ||
|
|
||
| err := RawCombinedOutput(append([]string{"-I", chain}, args...)...) |
There was a problem hiding this comment.
Logically this should be a "-A", the return rule is anyway expected to appear at the end of the chain.
The original function was coded with the notion it would be used right after chain creation, as it was a bridge private function.
Now that the function is a public method, we should not assume anything like that.
I know this is from the existing code.
But given we are touching it now, I think it is the right time to fix this.
service_linux.go
Outdated
|
|
||
| err = iptables.EnsureJumpRule("FORWARD", userChain) | ||
| if err != nil { | ||
| logrus.Warnf("Failed to create the jump rule for %s: %v", userChain, err) |
There was a problem hiding this comment.
Failed to ensure the jump rule to %s: %v...
service_linux.go
Outdated
| @@ -260,6 +260,7 @@ func (sb *sandbox) rmLBBackend(ip, vip net.IP, fwMark uint32, ingressPorts []*Po | |||
| } | |||
| } | |||
|
|
|||
| const userChain = "DOCKER-USER" | |||
There was a problem hiding this comment.
Let's keep this file for service related things only.
Please move this const and the arrangeUserFilterRule() function to controller.go or network.go
There was a problem hiding this comment.
Done. Moved it to controller.go.
|
Thanks @wenjianhn |
|
Thanks @wenjianhn LGTM |
|
Please rebase |
|
@aboch The test fail. It doesn't seem to be related to my changes. |
|
Yes, weird cross-compilation issue. No changes in that vendoring. |
|
Any updates on this issue? We're currently having to use a custom shell script for starting/restarting docker stacks to solve this problem. |
|
@wenjianhn Please move the current definition of |
controller.go
Outdated
| @@ -841,6 +845,7 @@ addToStore: | |||
| if !c.isDistributedControl() { | |||
| c.Lock() | |||
| arrangeIngressFilterRule() | |||
| arrangeUserFilterRule() | |||
| c.Unlock() | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
Instead of calling arrangeUserFilterRule two times can you move it after the if !c.isDistributedControl() { block ?
There was a problem hiding this comment.
Nice catch. Thanks.
There was a problem hiding this comment.
@wenjianhn arrangeIngressFilterRule() is done inside the !c.isDistributedControl() because it applies only in the swarm mode. But the user chain is needed in non-swarm mode as well. Can you add this after the if !c.isDistributedControl() block
c.Lock()
arrangeUserFilterRule()
c.Unlock()
There was a problem hiding this comment.
@sanimej CircleCI timed out. Could you rebuild it?
|
@wenjianhn This needs another rebase and couple of minor comments to be addressed. Can you please take care of that and we can merge it in time for 17.06. Sorry about the delay in the review. |
|
@sanimej Sure thing. |
Allow users to configure firewall policies in a way that persists docker operations/restarts. Docker will not delete or modify any pre-existing rules from the DOCKER-USER filter chain. This allows the user to create in advance any rules required to further restrict access from/to the containers. Fixes moby/moby#29184 Fixes moby/moby#23987 Related to moby/moby#24848 Signed-off-by: Jacob Wen <jian.w.wen@oracle.com>
|
Thanks @wenjianhn. LGTM |
|
@sanimej will this be in a vendor bump for 17.06? |
|
Thanks a lot for making this happen! From the code comments, I gather that one has to add rules to the
|
|
@thaJeztah We will do a vendor in later in the day. @peterthomassen Yes, any custom rules you want to run before the docker added rules should be in the |
|
ping @mstanleyjones this was included in docker 17.06 (through commit moby/moby@46392f2, which is part of moby/moby#32981), however, because it was part of another "changelog" issue, probably may not have been clear as a separate feature. Given that this is a much-requested feature, we should include this somewhere in the documentation |
Extra information: $ docker run -d -p 7777:6379 --name data1 redis $ docker run -d -p 8888:6379 --name data2 redis $ sudo iptables -N DOCKER-USER-redis1 $ sudo iptables -A DOCKER-USER-redis1 -s 192.168.56.0/24 -p tcp -m tcp -j RETURN $ sudo iptables -A DOCKER-USER-redis1 -j REJECT --reject-with icmp-port-unreachable $ sudo iptables -N DOCKER-USER-redis2 $ sudo iptables -A DOCKER-USER-redis2 -s 10.0.24.0/24 -p tcp -m tcp -j RETURN $ sudo iptables -A DOCKER-USER-redis2 -j REJECT --reject-with icmp-port-unreachable $ sudo iptables -A DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 7777 -j DOCKER-USER-redis1 $ sudo iptables -A DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 8888 -j DOCKER-USER-redis2 "I think an example like this belongs in the docs as it probably covers what 99% of users are looking for: the ability to expose ports using `-p` but still be able to control traffic to them using common filters like `-s`." Note that --ctorigdstport matches the original destination port of the first packet of the connection, not the packet being filtered. So the dropping rule will also drop responses to the outgoing connections from Docker to the world on 5000-9999! Add --ctdir ORIGINAL to the DROP rule to match only incoming packets. See github.com/moby/moby/issues/22054#issuecomment-466663033 You can also specify which chains docker should use. For example, in the filter table, specify another chain instead of `FORWARD`. This allows you to use traditional tools to manage the firewall and decide when to pass control to docker. Information pulled from: moby/moby#33567 https://unrouted.io/2017/08/15/docker-firewall/ moby/libnetwork#1675
|
I have "iptables": false in /etc/docker/daemon.json. I am using docker swarm mode. But docker is adding DOCKER-INGRESS iptables rules. Is there any workaround to avoid this? |
Allow users to configure firewall policies in way that persists
docker operations/restarts. Docker will not delete or modify any
pre-existing rules from the DOCKER-FORWARD-TOP filter chain. This
allows the user to create in advance any rules required to further
restrict access from/to the containers.
Fixes moby/moby/issues/29184
Fixes moby/moby/issues/23987
Related to moby/moby/issues/24848
Signed-off-by: Jacob Wen jian.w.wen@oracle.com