-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop iptables global rule to drop packets in the forward chain by default #136
Comments
is this related to moby/moby#45280? 👀 (I think this is something the Moby project is probably keen to improve/collaborate on, FWIW) |
Are you talking the same thing at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865975 (docker.io changes iptables default FORWARD policy to DROP, breaks VM and others). You can read my summary at Message#91. |
this is more to do with the fact that docker snap currently conflicts with microk8s & lxd. But the consequences of moby/moby#14041 are peculiar, thus I wonder what lxd does there. |
@tomponline given moby/moby#14041 how does lxd avoid such exposure of containers, without the default drop rule? |
In short, it doesn't. However it will not enable IP forwarding until one or more managed Additionally IP forwarding is not enabled when the https://linuxcontainers.org/lxd/docs/master/reference/network_bridge/#configuration-options I wrote more about this here: https://discuss.linuxcontainers.org/t/reasoning-behind-in-out-fwd-netfilter-rules/14444/5?u=tomp In theory, if we were going to make it so that LXD managed bridges were not reachable from the LAN, but still supported egress SNAT (which requires forwarding be enabled) we wouldn't modify the global FORWARD policy to be DROP/REJECT (because of the disruption that would cause to other applications). Instead I suspect we would add bridge interface specific DROP/REJECT rules so that LXD instances connected to LXD managed bridges were not reachable from the LAN, without affecting other interfaces. Although enabling IP forwarding would still potentially make other applications reachable from the LAN. |
docker is not the only daemon, it shouldn't drop everything on the floor by default.
The text was updated successfully, but these errors were encountered: