docker does not respect previously setup FORWARD rules #29184
Description
Description
I'm trying to restrict outgoing connections from inside a container. From what I gathered, outgoing container traffic is routed via the FORWARD chain of iptables. The problem is, that after restarting the docker service or creating the container, docker will prepend its rules in the FORWARD chain, so my policy is never matched.
Steps to reproduce the issue:
- add an iptables rule to drop connections to
10.0.0.0/8from thebr-dobridge device used for the docker network so thatiptables --list FORWARD -vreads
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 DROP udp -- any br-do anywhere 10.0.0.0/8
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
- restart docker daemon
service docker restart
Describe the results you received:
After restarting the docker daemon, the FORWARD chain will be altered in the following way:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION all -- any any anywhere anywhere
0 0 DOCKER all -- any br-do anywhere anywhere
0 0 ACCEPT all -- any br-do anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- br-do !br-do anywhere anywhere
0 0 ACCEPT all -- br-do br-do anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 DROP udp -- any br-do anywhere 10.0.0.0/8
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Outgoing traffic on will now be ACCEPTed before matching my intended policy.
Describe the results you expected:
I would have expected that docker adds the FORWARD rules more sensibly, or appends them to the end of the FORWARD chain, so my intended policy stays active.
Additional information you deem important (e.g. issue happens only occasionally):
I understand that it is complex for docker to pick the right behavior here. However, there must be a sensible way to enforce system wide policies without going the DOCKER_OPTS=--iptables=false route.
Output of docker version:
Client:
Version: 1.12.2
API version: 1.24
Go version: go1.6.3
Git commit: bb80604
Built: Tue Oct 11 18:15:17 2016
OS/Arch: linux/amd64
Server:
Version: 1.12.2
API version: 1.24
Go version: go1.6.3
Git commit: bb80604
Built: Tue Oct 11 18:15:17 2016
OS/Arch: linux/amd64
Output of docker info:
Containers: 101
Running: 3
Paused: 0
Stopped: 98
Images: 1433
Server Version: 1.12.2
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 1618
Dirperm1 Supported: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge null host overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor
Kernel Version: 3.13.0-49-generic
Operating System: Ubuntu precise (12.04.5 LTS)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 31.3 GiB
Name: graph
ID: KCL5:MTXD:FDRD:YXDL:EO73:H2JE:2OZL:W2JX:IDN4:SBBV:CUVP:NTLC
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
Running on a physical box.