New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to filter traffic being forwarded from docker bridge interfaces #23897
Comments
Hmmm, I can't add jumps to my own chains in the FORWARD chain because any time I Are you saying it's kosher for me to add a jump to a chain from DOCKER-ISOLATION? If so, is it the case that DOCKER-ISOLATION will only contain DROP rules and that the RETURN is guaranteed to always be the last item in DOCKER-ISOLATION, regardless of what I add? Thanks |
@gordonsyme Oh I see, didn't realize libnetwork was prepending. I'm not sure why it would be pre-pending. ping @mrjana |
ping @aboch |
@gordonsyme The forward chain you would use to insert user defined firewall rules is still the
|
@aboch AFAICS the jump to the I guess I could block the response traffic from the external network but that'd be an odd way to manage things. |
@gordonsyme Ah right you are insterested in filtering traffic coming from the bridge, sorry. There was a reason why the rules at network creation are pre-pended in the FORWARD chain, which I can't recall at the moment. Need to look into it if the need still holds true. Maybe we should also think of adding a jump to |
This would be ideal |
I also have the issue, that I cant filter on dockers traffic, because creating networks always prepends instead of appending. Having a chain to put my own (DROP) rules without docker whiping them is a must. |
|
Output of
docker version
:Output of
docker info
:Steps to reproduce the issue:
The specific troublesome rule looks to be
which allows any traffic originating from the docker bridge to be forwarded anywhere.
Describe the results you expected:
I'd like to be able to enforce my own policies when it comes to filtering traffic. The ideal for me would be for docker to jump to a chain specifically intended for admins to add their own rules for traffic to/from docker bridge interfaces. Much like the jump to the
DOCKER-ISOLATION
chain, although my understanding is thatDOCKER-ISOLATION
is a managed chain that I shouldn't manipulate.The text was updated successfully, but these errors were encountered: