Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Bad order of iptables filter rules create by Docker #18911

Copy link
Copy link
Closed
Closed
Bad order of iptables filter rules create by Docker#18911
Copy link
Labels
area/networkingNetworkingNetworkingkind/enhancementEnhancements are not bugs or new features but can improve usability or performance.Enhancements are not bugs or new features but can improve usability or performance.version/1.9
Milestone
17.04.0
@JrCs

Description

@JrCs
JrCs
opened on Dec 25, 2015
Issue body actions

Iptables filter rules create by Docker are in wrong order.

docker version:

Client:
Version:      1.9.1-cs2
 API version:  1.21
 Go version:   go1.4.3
 Git commit:   4ade326
 Built:        Mon Nov 30 21:56:07 UTC 2015
 OS/Arch:      linux/amd64

Server:
 Version:      1.9.1-cs2
 API version:  1.21
 Go version:   go1.4.3
 Git commit:   4ade326
 Built:        Mon Nov 30 21:56:07 UTC 2015
 OS/Arch:      linux/amd64

docker info:

Containers: 7
Images: 77
Server Version: 1.9.1-cs2
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 91
 Dirperm1 Supported: false
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.13.0-71-generic
Operating System: Ubuntu 14.04.3 LTS
CPUs: 1
Total Memory: 490 MiB
Name: ddb8db68-jrcs.node.tutum.io
ID: BRQF:HE2U:LXII:LKRJ:QYAQ:HBI7:EBHF:JZ7G:EDIU:MNNP:AYEX:LQ4M
WARNING: No swap limit support

uname -a:

Linux ddb8db68-jrcs.node.tutum.io 3.13.0-71-generic #114-Ubuntu SMP Tue Dec 1 02:34:22 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

I run Docker on a Digital Ocean ubuntu node.

Steps to reproduce

After docker start do an iptables -v -L FORWARD:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in      out      source    destination
    0     0 DROP       all  --  docker0 weave    anywhere  anywhere
  547 55371 DOCKER     all  --  any     docker0  anywhere  anywhere
  547 55371 ACCEPT     all  --  any     docker0  anywhere  anywhere  ctstate RELATED,ESTABLISHED
  526 1009K ACCEPT     all  --  docker0 !docker0 anywhere  anywhere
    0     0 ACCEPT     all  --  docker0 docker0  anywhere  anywhere
    0     0 ACCEPT     all  --  weave   weave    anywhere  anywhere

As you can see the ctstate RELATED,ESTABLISHED rule is defined AFTER the "call" to the rule with DOCKER chain.
So the rules defined in the DOCKER chain are always check even if the connection is already establish.

I think that the setupIPTablesInternal function (in vendor/src/github.com/docker/libnetwork/drivers/bridge/setup_ip_tables.go) must be call after the iptables.ProgramChain function because these functions insert iptables rules in front of other rules (using the -I option of iptables).

Reactions are currently unavailable

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/networkingNetworkingNetworkingkind/enhancementEnhancements are not bugs or new features but can improve usability or performance.Enhancements are not bugs or new features but can improve usability or performance.version/1.9

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.