when enabling ip forwarding set the default forward policy to drop #1526
Conversation
| return fmt.Errorf("Setup IP forwarding failed: %v", err) | ||
| } | ||
| if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil { | ||
| return fmt.Errorf("setting default policy failed: %v", err) |
There was a problem hiding this comment.
SetDefaultPolicy already returns a comprehensive error string. This one is not adding anything new to that.
I would just return err here.
There was a problem hiding this comment.
yeah.. I was also thinking about just returning the error here. will change it.
| return fmt.Errorf("Setup IP forwarding failed: %v", err) | ||
| } | ||
| if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil { | ||
| return fmt.Errorf("setting default policy failed: %v", err) |
There was a problem hiding this comment.
In case of failure to set the policy to drop, we must reset ip_forwarding to 0
|
We will now touch the iptables (changing the default policy) even if daemon was started with --iptables=false. |
|
|
|
@aboch Addressed the comments. PTAL |
| return &ErrInvalidDriverConfig{} | ||
| } | ||
|
|
||
| if config.EnableIPForwarding { |
There was a problem hiding this comment.
Given the new logic is to change the FORWARD chain default policy only if config.EnableIPTables==true, I am thinking we do not need to move this code, neither make any change in SetupForwarding().
We only need to add in SetupIPChain(configuration)
if config.EnableIPForwarding {
if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
return fmt.Errorf("%v. IP forwarding was set to 1", err)
}
}
Also this will guarantee the action will take place when the firewall is reloaded:
iptables.OnReloaded(..., setupIPChains)
There was a problem hiding this comment.
config.EnableIPForwarding is set based on the daemon flag and not by checking the sysctl ip_forward. By doing the way you are suggesting we will call SetDefaultPolicy even if ip_forward is already enabled; ie: ip_forward might be enabled and the default policy set be ACCEPT. Docker changing that to DROP is incorrect.
|
After some more thinking of this and talk offline, I see the FORWARD chain policy will be set to DROP only if the ip forwarding is being enabled during this running instance. If the daemon was already running and we upgrade it to the version containing this fix, or if the user has it enabled via other means, the policy will not be set to DROP. I believe this is for assuring we do not disrupt current behavior on the host. I would be more on the conservative side and always set the policy to DROP in But I understand this is opinable. |
Signed-off-by: Santhosh Manohar <santhosh@docker.com>
|
@aboch When firewalld is enabled, if firewalld is restarted the default policy has to be set again. Added a function to |
|
@sanimej after much discussion, I think this is a reasonable approach considering the backward compatibility. Lets document this clearly in docker/docker. LGTM |
full diff: moby/libnetwork@92d1fbe...96bcc0d changes included: - moby/libnetwork#2429 Updating IPAM config with results from HNS create network call - addresses moby#38358 - moby/libnetwork#2450 Always configure iptables forward policy - related to moby#14041 and moby/libnetwork#1526 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: moby/libnetwork@92d1fbe...96bcc0d changes included: - moby/libnetwork#2429 Updating IPAM config with results from HNS create network call - addresses moby/moby#38358 - moby/libnetwork#2450 Always configure iptables forward policy - related to moby/moby#14041 and moby/libnetwork#1526 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: 75477f0b3c77f2108a6b5586dbc246c52b479941 Component: engine
full diff: moby/libnetwork@92d1fbe...96bcc0d changes included: - moby/libnetwork#2429 Updating IPAM config with results from HNS create network call - addresses moby#38358 - moby/libnetwork#2450 Always configure iptables forward policy - related to moby#14041 and moby/libnetwork#1526 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 75477f0) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: moby/libnetwork@92d1fbe...96bcc0d changes included: - moby/libnetwork#2429 Updating IPAM config with results from HNS create network call - addresses moby/moby#38358 - moby/libnetwork#2450 Always configure iptables forward policy - related to moby/moby#14041 and moby/libnetwork#1526 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 75477f0b3c77f2108a6b5586dbc246c52b479941) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: 559be42fc26048f4069de64f84202803a113413a Component: engine
full diff: moby/libnetwork@92d1fbe...96bcc0d changes included: - moby/libnetwork#2429 Updating IPAM config with results from HNS create network call - addresses moby#38358 - moby/libnetwork#2450 Always configure iptables forward policy - related to moby#14041 and moby/libnetwork#1526 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: zach <Zachary.Joyner@linux.com>
4 participants
Related to docker #14041
If docker daemon enables ip_forwarding on a host set the policy in the FORWARD chain to DROP. This blocks the vulnerability explained in the above mentioned issue. Setting the policy is done from the bridge driver to keep it consistent with the current handling for
ip_forwardflag.Signed-off-by: Santhosh Manohar santhosh@docker.com