New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker does not check kernel's setting concerning bridge traffic filtering #11404

Closed
miminar opened this Issue Mar 16, 2015 · 1 comment

Comments

Projects
None yet
3 participants
@miminar
Contributor

miminar commented Mar 16, 2015

Kernel has several parameters controlling filtering of bridge traffic (viz sysctl entries):

  • net.bridge.bridge-nf-call-arptables - pass bridged ARP traffic to arptables' FORWARD chain.
  • net.bridge.bridge-nf-call-ip6tables - pass bridged IPv4 traffic to iptables' chains.
  • net.bridge.bridge-nf-call-iptables - pass bridged IPv6 traffic to ip6tables' chains.
  • net.bridge.bridge-nf-filter-vlan-tagged - pass bridged vlan-tagged ARP/IP traffic to arptables/iptables.
  • net.bridge.bridge-nf-filter-pppoe-tagged - pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables.

Their default value on Fedora/RHEL systems is 0 (since bug #512206). Therefore, by default, iptables' rules do not affect bridge's traffic. Thus docker images are allowed to communicate regardless of --icc=false option by default on these distributions, which is quite surprising behavior.

Docker should check these parameters and refuse to start if inter-container communication is prohibited with --icc option and bridge traffic is not filtered by iptables' chains. It should be mentioned in documentation as well.

I assume that checking net.bridge.bridge-nf-call-iptables != 0 && net.bridge.bridge-nf-call-ip6tables != 0 will be enough. I'm not sure about net.bridge.bridge-nf-call-arptables though.

I'll post PR concerning this issue later today.

miminar added a commit to miminar/docker that referenced this issue Mar 16, 2015

Check kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

Resolves issue moby#11404

Signed-off-by: Michal Minar <miminar@redhat.com>

miminar added a commit to miminar/docker that referenced this issue Mar 16, 2015

Check kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

Resolves issue moby#11404

Signed-off-by: Michal Minar <miminar@redhat.com>

miminar added a commit to miminar/docker that referenced this issue Mar 25, 2015

Check kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

Resolves issue moby#11404

Signed-off-by: Michal Minar <miminar@redhat.com>

miminar added a commit to miminar/docker that referenced this issue Mar 25, 2015

Check kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

Resolves issue moby#11404

Signed-off-by: Michal Minar <miminar@redhat.com>

miminar added a commit to miminar/docker that referenced this issue Apr 3, 2015

Check kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

Resolves issue moby#11404

Signed-off-by: Michal Minar <miminar@redhat.com>

miminar added a commit to miminar/docker that referenced this issue Apr 3, 2015

Check kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

Resolves issue moby#11404

Signed-off-by: Michal Minar <miminar@redhat.com>

miminar added a commit to miminar/docker that referenced this issue Apr 8, 2015

Check kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

Resolves issue moby#11404

Signed-off-by: Michal Minar <miminar@redhat.com>

miminar added a commit to miminar/docker that referenced this issue Apr 13, 2015

Check kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

Resolves issue moby#11404

Signed-off-by: Michal Minar <miminar@redhat.com>

miminar added a commit to miminar/docker that referenced this issue Apr 15, 2015

Check and set kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

If not present, ask the user to load `br_netfilter` kernel module.
If unset, try to set them.

Resolves issue moby#11404

Signed-off-by: Michal Minar <miminar@redhat.com>

miminar added a commit to miminar/docker that referenced this issue May 4, 2015

Check and set kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

If not present, try to load `br_netfilter` kernel module or ask the user
to do it. If unset, try to set them.

Resolves issue moby#11404

miminar added a commit to miminar/docker that referenced this issue May 4, 2015

Check and set kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

If not present, try to load `br_netfilter` kernel module or ask the user
to do it. If unset, try to set them.

Resolves issue moby#11404

Signed-off-by: Michal Minar <miminar@redhat.com>

miminar added a commit to miminar/docker that referenced this issue May 13, 2015

Check and set kernel params for bridge traffic filtering
Check whether bridge traffic is passed to iptables' chains if started
with `--icc=false`. Inter-container communication can be restricted only
if following parameters are set.

- `/proc/sys/net/bridge/bridge-nf-call-iptables`
- `/proc/sys/net/bridge/bridge-nf-call-ip6tables`

If not present, try to load `br_netfilter` kernel module or ask the user
to do it. If unset, try to set them.

Resolves issue moby#11404

Signed-off-by: Michal Minar <miminar@redhat.com>
@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83

cpuguy83 Sep 12, 2015

Contributor

Closing since docker/libnetwork#336 was merged to resolve this.

Contributor

cpuguy83 commented Sep 12, 2015

Closing since docker/libnetwork#336 was merged to resolve this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment