Always configure iptables forward policy #2450
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Please sign your commits following these rules: $ git clone -b "iptables-policy" git@github.com:TheNodi/libnetwork.git somewhere
$ cd somewhere
$ git commit --amend -s --no-edit
$ git push -fAmending updates the existing PR. You DO NOT need to open a new one. |
Signed-off-by: Leonardo Nodari <me@leonardonodari.it>
TheNodi
force-pushed
the
iptables-policy
branch
from
d7588d2
to
d070217
Compare
euanh
approved these changes
Sep 17, 2019
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Sep 20, 2019
full diff: moby/libnetwork@92d1fbe...96bcc0d changes included: - moby/libnetwork#2429 Updating IPAM config with results from HNS create network call - addresses moby#38358 - moby/libnetwork#2450 Always configure iptables forward policy - related to moby#14041 and moby/libnetwork#1526 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
docker-jenkins
pushed a commit
to docker/docker-ce
that referenced
this pull request
Sep 23, 2019
full diff: moby/libnetwork@92d1fbe...96bcc0d changes included: - moby/libnetwork#2429 Updating IPAM config with results from HNS create network call - addresses moby/moby#38358 - moby/libnetwork#2450 Always configure iptables forward policy - related to moby/moby#14041 and moby/libnetwork#1526 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: 75477f0b3c77f2108a6b5586dbc246c52b479941 Component: engine
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Sep 24, 2019
full diff: moby/libnetwork@92d1fbe...96bcc0d changes included: - moby/libnetwork#2429 Updating IPAM config with results from HNS create network call - addresses moby#38358 - moby/libnetwork#2450 Always configure iptables forward policy - related to moby#14041 and moby/libnetwork#1526 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 75477f0) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
docker-jenkins
pushed a commit
to docker/docker-ce
that referenced
this pull request
Sep 25, 2019
full diff: moby/libnetwork@92d1fbe...96bcc0d changes included: - moby/libnetwork#2429 Updating IPAM config with results from HNS create network call - addresses moby/moby#38358 - moby/libnetwork#2450 Always configure iptables forward policy - related to moby/moby#14041 and moby/libnetwork#1526 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 75477f0b3c77f2108a6b5586dbc246c52b479941) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: 559be42fc26048f4069de64f84202803a113413a Component: engine
|
Related: moby/moby#39439 |
thaJeztah
added a commit
to thaJeztah/docker
that referenced
this pull request
Oct 7, 2019
The patch made in moby/libnetwork#2450 caused a breaking change in the networking behaviour, causing Kubernetes installations on Docker Desktop (and possibly other setups) to fail. Rolling back this change in the 19.03 branch while we investigate if there are alternatives. diff: moby/libnetwork@45c7102...96bcc0d Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
docker-jenkins
pushed a commit
to docker/docker-ce
that referenced
this pull request
Oct 8, 2019
The patch made in moby/libnetwork#2450 caused a breaking change in the networking behaviour, causing Kubernetes installations on Docker Desktop (and possibly other setups) to fail. Rolling back this change in the 19.03 branch while we investigate if there are alternatives. diff: moby/libnetwork@45c7102...96bcc0d Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: fb0fca86077528466cc66fef20697537941ca125 Component: engine
Closed
burnMyDread
pushed a commit
to burnMyDread/moby
that referenced
this pull request
Oct 21, 2019
full diff: moby/libnetwork@92d1fbe...96bcc0d changes included: - moby/libnetwork#2429 Updating IPAM config with results from HNS create network call - addresses moby#38358 - moby/libnetwork#2450 Always configure iptables forward policy - related to moby#14041 and moby/libnetwork#1526 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: zach <Zachary.Joyner@linux.com>
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Follow-up email to security@docker.com, ping @justincormack
Related to moby/moby#14041 and #1526
By default, when Docker starts up (to configure the bridge network driver) it enables
ip_forwardflag and it sets iptablesFORWARDchain policy toDROP(unless daemon'siptablesoption is set tofalse). Then Docker insertsACCEPTrules based on the configured networks.If another software (or an administrator) enables
ip_forwardflag before Docker boot, iptables policy configuration is skipped, resulting in the default policy beingACCEPT. Docker still configures all other rules, but they have no meaning because they are onlyACCEPTrules (and the default isACCEPTanyway). These lead to a local attacker being able to access all containers by setting the host as gateway for the (guessable) Docker subnets (as shown in moby/moby#14041).Accessing all containers can be a security vulnerability, especially when unauthenticated private services are running (e.g., Redis). An example software that interferes with Docker is OpenVPN, because it enables
ip_forwardflag at boot before Docker has a change of reading it. OpenVPN has the increased problem of allowing all clients connected to the vpn server the ability of abusing this vulnerability acting as local nodes in the network (I've found this scenario multiple times in the wild), but it is not the only software causing this issue.To reproduce it, you can use a fresh copy of Ubuntu 18.04, install Docker and then install OpenVPN (Official APT repository, no need to configure VPN server/clients) and reboot the server. On next boot, iptables forward policy remains
ACCEPT.Because Docker's
iptablesflag is stilltrue, and because Docker is still configuring all other iptables' rules, I think it should configure iptables forward policy even whenip_forwardflag is1. This would ensure a secure setup by default, and if the user wants more control over iptables, he should explicitly disable Docker's iptables management.