No ICC for IPv6 nework if "--internal" is used

Question

No ICC for IPv6 nework if "--internal" is used

bephinix opened this issue 6 years ago · comments

Problem/Bug

Running a fresh Docker CE system without the default bridge and only a custo network created with the following command:

sudo docker network create --ipv6 --subnet 172.22.99.0/24 --subnet fdef:0:0:99::/64 --internal my99

iptables (IPv4) FORWARD (and referenced) chains:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-d403f56263c1 br-d403f56263c1  0.0.0.0/0            0.0.0.0/0

Chain DOCKER (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      br-d403f56263c1 !172.30.99.0/24       0.0.0.0/0           
    0     0 DROP       all  --  br-d403f56263c1 *       0.0.0.0/0           !172.30.99.0/24      
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

ip6tables (IPv6) FORWARD (and referenced) chains:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION  all      *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      *      br-d403f56263c1 !fddd:0:0:99::/64     ::/0                
    0     0 DROP       all      br-d403f56263c1 *       ::/0                !fddd:0:0:99::/64    
    0     0 RETURN     all      *      *       ::/0                 ::/0

As you can see, ip6tables is missing a rule to allow traffic between containers on such an "--internal" network.

Solution/Fix

We need to change this part of manager.go:

	if network.internal {
		return &Ruleset{
			NewPrependRule(TableFilter, ChainDockerIsolation,
				"!", "-s", network.subnet.String(),
				"-o", network.bridge,
				"-j", "DROP"),
			NewPrependRule(TableFilter, ChainDockerIsolation,
				"!", "-d", network.subnet.String(),
				"-i", network.bridge,
				"-j", "DROP"),
		}
	}

	iccAction := "ACCEPT"
	if !network.icc {
		iccAction = "DROP"
	}

We have to check for icc flag before creating the ruleset for an internal network.

If you would set icc to false for this internal network, FORWARD will contain the following rule:

    0     0 DROP     all  --  br-d403f56263c1 br-d403f56263c1  0.0.0.0/0            0.0.0.0/0

So we only need to move the icc check before the internal ruleset generation and always create a rule, wich will use iccAction as its action.

Elias Werberich · Answer 1 · Mon Sep 17 2018 04:17:05 GMT+0800 (China Standard Time)

@robbertkl I will create a MR/PR.

Robbert Klarenbeek · Answer 2 · Mon Sep 17 2018 04:19:44 GMT+0800 (China Standard Time)

Awesome! Looking forward to your PR!

Robbert Klarenbeek · Answer 3 · Mon Sep 17 2018 04:20:58 GMT+0800 (China Standard Time)

Just wanted to let you know that it's a bit more convenient to compare rules by using iptables-save and ip6tables-save.

Elias Werberich · Answer 4 · Mon Sep 17 2018 04:35:32 GMT+0800 (China Standard Time)

Just wanted to let you know that it's a bit more convenient to compare rules by using iptables-save and ip6tables-save.

Oh, I forgot. Just copied it from my terminal. 👍