Skip to content

network: fall back to blanket port block when cgroup isolation unavailable#66

Merged
navanchauhan merged 1 commit intomainfrom
fix/issue-60-cgroup-isolation-fallback
Mar 4, 2026
Merged

network: fall back to blanket port block when cgroup isolation unavailable#66
navanchauhan merged 1 commit intomainfrom
fix/issue-60-cgroup-isolation-fallback

Conversation

@navanchauhan
Copy link
Copy Markdown
Collaborator

@navanchauhan navanchauhan commented Mar 4, 2026

Summary

  • when xt_cgroup (iptables) or nft cgroupv2 socket matching is unavailable, fall back to blocking ALL outbound connections to the control plane port instead of crashing with FATAL
  • fix nftables ensure_rule comment quoting — nft requires literal quotes around comment values containing colons (e.g. "leash:block-control-plane-fallback")

Why

Issue #60: LinuxKit kernels (Docker Desktop 6.12.68-linuxkit, 6.12.72-linuxkit) and OrbStack (6.17.8-orbstack) do not ship xt_cgroup or support nft socket cgroupv2 matching. The cgroup-based iptables rule fails with RULE_APPEND failed (Invalid argument), causing leash to exit immediately.

The fallback blanket port block (-p tcp --dport $LEASH_PORT -j REJECT) still prevents the target container from reaching leashd since they share a network namespace. External access via Docker port publishing is unaffected (enters via INPUT, not OUTPUT).

Validation

  • Confirmed xt_cgroup unavailable on Docker Desktop LinuxKit 6.12.72-linuxkit and OrbStack 6.17.8-orbstack
  • All three scripts (apply-iptables.sh, apply-ip6tables.sh, apply-nftables.sh) tested standalone on both runtimes — fallback rules applied successfully
  • Full end-to-end leash -I sleep 60 on OrbStack:
    • both containers start and stay running (no FATAL crash)
    • fallback iptables filter rule present: tcp dpt:18080 reject-with tcp-reset
    • target container blocked from reaching http://127.0.0.1:18080/ (wget exit 4)

Closes #60

@navanchauhan
network: fall back to blanket port block when cgroup isolation unavai…
1ddc536 
…lable

LinuxKit (Docker Desktop) and OrbStack kernels lack xt_cgroup / nft
cgroupv2 socket matching, causing leash to FATAL on startup. When
cgroup-scoped filtering fails, block ALL outbound connections to the
control plane port instead. This still prevents the target container
from reaching leashd while external access via Docker port publishing
is unaffected.

Also fix nftables ensure_rule comment quoting — nft requires literal
quotes around comment values containing colons.

Closes #60
@navanchauhan navanchauhan merged commit 5bf1c64 into main Mar 4, 2026
1 check passed
@navanchauhan navanchauhan deleted the fix/issue-60-cgroup-isolation-fallback branch March 4, 2026 22:59
This was referenced Mar 4, 2026
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Leash fails to start on Docker Desktop: xt_cgroup module unavailable in LinuxKit

1 participant

@navanchauhan