New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ip6tables rules break Neighbor Solicitation #45460
Comments
Hi @lordgurke, thanks for your report. I analyzed a bit more what's going on here, and I'm drafting a PR. Although resolving In term1: $ docker network create --subnet 'fdf1:a844:380c:b247::/64' --ipv6 --internal testnet
$ docker run --rm -d --network testnet --name test1 nicolaka/netshoot /bin/sleep infinity
# Both ping fail
$ docker run --rm -t --network testnet --name test2 nicolaka/netshoot ping -c1 -6 test1
$ docker run --rm -t --network testnet --name test2 nicolaka/netshoot ping -c1 -6 fe80::42:acff:fe12:2%eth0 In term2: # First ping command
$ sudo ./bin/iptables-tracer -family ipv6 -iface=br-21502e5b2c6c -filter='icmp6 and (ip6[40] == 135 || ip6[40] == 136)' -filter-chain=filter/DOCKER-ISOLATION-STAGE-1
IN=br-21502e5b2c6c OUT= SRC=fdf1:a844:380c:b247::3 DST=ff02::1:ff00:2 LEN=32 HOP=255 PROTO=ICMPv6 TYPE/CODE=NeighborSolicitation CSUM=aa2b
filter DOCKER-ISOLATION-STAGE-1 NFMARK=0x0
MATCH RULE (#2): ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP
=> DROP
IN=br-21502e5b2c6c OUT= SRC=:: DST=ff02::1:ff12:3 LEN=32 HOP=255 PROTO=ICMPv6 TYPE/CODE=NeighborSolicitation CSUM=2d89
filter DOCKER-ISOLATION-STAGE-1 NFMARK=0x0
MATCH RULE (#1): ! -s fdf1:a844:380c:b247::/64 -o br-21502e5b2c6c -j DROP
=> DROP
IN=br-21502e5b2c6c OUT= SRC=fdf1:a844:380c:b247::3 DST=ff02::1:ff00:2 LEN=32 HOP=255 PROTO=ICMPv6 TYPE/CODE=NeighborSolicitation CSUM=aa2b
filter DOCKER-ISOLATION-STAGE-1 NFMARK=0x0
MATCH RULE (#2): ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP
=> DROP
IN=br-21502e5b2c6c OUT= SRC=fdf1:a844:380c:b247::3 DST=ff02::1:ff00:2 LEN=32 HOP=255 PROTO=ICMPv6 TYPE/CODE=NeighborSolicitation CSUM=aa2b
filter DOCKER-ISOLATION-STAGE-1 NFMARK=0x0
MATCH RULE (#2): ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP
=> DROP
# Second ping command
$ sudo ./bin/iptables-tracer -family ipv6 -iface=br-21502e5b2c6c -filter='icmp6 and (ip6[40] == 135 || ip6[40] == 136)' -filter-chain=filter/DOCKER-ISOLATION-STAGE-1
INFO[0000] Waiting for trace events...
IN=br-21502e5b2c6c OUT= SRC=fdf1:a844:380c:b247::3 DST=ff02::1:ff12:2 LEN=32 HOP=255 PROTO=ICMPv6 TYPE/CODE=NeighborSolicitation CSUM=90ce
filter DOCKER-ISOLATION-STAGE-1 NFMARK=0x0
MATCH RULE (#2): ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP
=> DROP
IN=br-21502e5b2c6c OUT= SRC=:: DST=ff02::1:ff12:3 LEN=32 HOP=255 PROTO=ICMPv6 TYPE/CODE=NeighborSolicitation CSUM=ba26
filter DOCKER-ISOLATION-STAGE-1 NFMARK=0x0
MATCH RULE (#1): ! -s fdf1:a844:380c:b247::/64 -o br-21502e5b2c6c -j DROP
=> DROP
IN=br-21502e5b2c6c OUT= SRC=fdf1:a844:380c:b247::3 DST=ff02::1:ff12:2 LEN=32 HOP=255 PROTO=ICMPv6 TYPE/CODE=NeighborSolicitation CSUM=90ce
filter DOCKER-ISOLATION-STAGE-1 NFMARK=0x0
MATCH RULE (#2): ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP
=> DROP
IN=br-21502e5b2c6c OUT= SRC=fdf1:a844:380c:b247::3 DST=ff02::1:ff12:2 LEN=32 HOP=255 PROTO=ICMPv6 TYPE/CODE=NeighborSolicitation CSUM=90ce
filter DOCKER-ISOLATION-STAGE-1 NFMARK=0x0
MATCH RULE (#2): ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP
=> DROP |
IPv6 ipt rules are exactly the same as IPv4 rules, although both protocol don't use the same networking model. This has bad consequences, for instance: 1. the current v6 rules disallow Neighbor Solication/Advertisement ; 2. and more generally, any datagram using link-local addresses. To solve this, this commit changes the following rules: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP ``` into: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 ! -i br-21502e5b2c6c -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c ! -o br-21502e5b2c6c -j DROP ``` These rules only limit the traffic ingressing/egressing the bridge, but not traffic between veth on the same bridge. Note that, the Kernel takes care of dropping invalid IPv6 packets, eg. loopback spoofing, thus these rules don't need to be more specific. Solve moby#45460. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
IPv6 ipt rules are exactly the same as IPv4 rules, although both protocol don't use the same networking model. This has bad consequences, for instance: 1. the current v6 rules disallow Neighbor Solication/Advertisement ; 2. multicast addresses can't be used ; 3. link-local addresses are blocked too. To solve this, this commit changes the following rules: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP ``` into: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 ! -i br-21502e5b2c6c -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c ! -o br-21502e5b2c6c -j DROP ``` These rules only limit the traffic ingressing/egressing the bridge, but not traffic between veth on the same bridge. Note that, the Kernel takes care of dropping invalid IPv6 packets, eg. loopback spoofing, thus these rules don't need to be more specific. Solve moby#45460. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
IPv6 ipt rules are exactly the same as IPv4 rules, although both protocol don't use the same networking model. This has bad consequences, for instance: 1. the current v6 rules disallow Neighbor Solication/Advertisement ; 2. multicast addresses can't be used ; 3. link-local addresses are blocked too. To solve this, this commit changes the following rules: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP ``` into: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 ! -i br-21502e5b2c6c -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c ! -o br-21502e5b2c6c -j DROP ``` These rules only limit the traffic ingressing/egressing the bridge, but not traffic between veth on the same bridge. Note that, the Kernel takes care of dropping invalid IPv6 packets, eg. loopback spoofing, thus these rules don't need to be more specific. Solve moby#45460. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
IPv6 ipt rules are exactly the same as IPv4 rules, although both protocol don't use the same networking model. This has bad consequences, for instance: 1. the current v6 rules disallow Neighbor Solication/Advertisement ; 2. multicast addresses can't be used ; 3. link-local addresses are blocked too. To solve this, this commit changes the following rules: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP ``` into: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 ! -i br-21502e5b2c6c -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c ! -o br-21502e5b2c6c -j DROP ``` These rules only limit the traffic ingressing/egressing the bridge, but not traffic between veth on the same bridge. Note that, the Kernel takes care of dropping invalid IPv6 packets, eg. loopback spoofing, thus these rules don't need to be more specific. Solve moby#45460. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Resolved by #45649. |
IPv6 ipt rules are exactly the same as IPv4 rules, although both protocol don't use the same networking model. This has bad consequences, for instance: 1. the current v6 rules disallow Neighbor Solication/Advertisement ; 2. multicast addresses can't be used ; 3. link-local addresses are blocked too. To solve this, this commit changes the following rules: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP ``` into: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 ! -i br-21502e5b2c6c -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c ! -o br-21502e5b2c6c -j DROP ``` These rules only limit the traffic ingressing/egressing the bridge, but not traffic between veth on the same bridge. Note that, the Kernel takes care of dropping invalid IPv6 packets, eg. loopback spoofing, thus these rules don't need to be more specific. Solve moby#45460. Signed-off-by: Albin Kerouanton <albinker@gmail.com> (cherry picked from commit da9e44a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Description
With
ip6tables
enabled Docker creates various ip6table rules which should isolate networks from each other.The way this is done breaks neighbor solicitation, because traffic to addresses other than the configured subnet is dropped, thus filtering traffic to/from
fe80::/7
.Reproduce
ip6tables: true
andexperimental: true
docker network create --subnet 'fdf1:a844:380c:b247::/64' --ipv6 --internal internal1
This will fail because neighbor solicitation will not work, as docker creates rules like these:
This drops traffic from/to
fe80::/7
which is needed for neighbor solicitation.As soon as you add a rule to explicitly allow ICMPv6 type 135 to pass, neighbor resolution will start to work:
(There might be a better fitting rule, but that one worked for me and should be safe enough as it only accepts NDP with hoplimit 255, so only locally generated packets)
Now you should be able to ping each container.
Expected behavior
Docker should add a rule to explicitly let IPv6 NDP pass (ICMPv6 type 135).
It needs to be inserted before the DROP rules that drop traffic with "wrong" IP addresses.
docker version
Client: Version: 23.0.4 API version: 1.42 Go version: go1.20.3 Git commit: f480fb1e37 Built: Fri Apr 21 22:05:37 2023 OS/Arch: linux/amd64 Context: default Server: Engine: Version: 23.0.4 API version: 1.42 (minimum version 1.12) Go version: go1.20.3 Git commit: cbce331930 Built: Fri Apr 21 22:05:37 2023 OS/Arch: linux/amd64 Experimental: true containerd: Version: v1.7.0 GitCommit: 1fbd70374134b891f97ce19c70b6e50c7b9f4e0d.m runc: Version: 1.1.7 GitCommit: docker-init: Version: 0.19.0 GitCommit: de40ad0
docker info
Additional Info
No response
The text was updated successfully, but these errors were encountered: