No ICC for IPv6 nework if "--internal" is used
bephinix opened this issue · comments
Problem/Bug
Running a fresh Docker CE system without the default bridge and only a custo network created with the following command:
sudo docker network create --ipv6 --subnet 172.22.99.0/24 --subnet fdef:0:0:99::/64 --internal my99
iptables (IPv4) FORWARD (and referenced) chains:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-d403f56263c1 br-d403f56263c1 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (0 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-d403f56263c1 !172.30.99.0/24 0.0.0.0/0
0 0 DROP all -- br-d403f56263c1 * 0.0.0.0/0 !172.30.99.0/24
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
ip6tables (IPv6) FORWARD (and referenced) chains:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION all * * ::/0 ::/0
Chain DOCKER-ISOLATION (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * br-d403f56263c1 !fddd:0:0:99::/64 ::/0
0 0 DROP all br-d403f56263c1 * ::/0 !fddd:0:0:99::/64
0 0 RETURN all * * ::/0 ::/0
As you can see, ip6tables is missing a rule to allow traffic between containers on such an "--internal" network.
Solution/Fix
We need to change this part of manager.go
:
if network.internal {
return &Ruleset{
NewPrependRule(TableFilter, ChainDockerIsolation,
"!", "-s", network.subnet.String(),
"-o", network.bridge,
"-j", "DROP"),
NewPrependRule(TableFilter, ChainDockerIsolation,
"!", "-d", network.subnet.String(),
"-i", network.bridge,
"-j", "DROP"),
}
}
iccAction := "ACCEPT"
if !network.icc {
iccAction = "DROP"
}
We have to check for icc flag before creating the ruleset for an internal network.
If you would set icc to false for this internal network, FORWARD will contain the following rule:
0 0 DROP all -- br-d403f56263c1 br-d403f56263c1 0.0.0.0/0 0.0.0.0/0
So we only need to move the icc check before the internal ruleset generation and always create a rule, wich will use iccAction as its action.
@robbertkl I will create a MR/PR.
Awesome! Looking forward to your PR!
Just wanted to let you know that it's a bit more convenient to compare rules by using iptables-save
and ip6tables-save
.
Just wanted to let you know that it's a bit more convenient to compare rules by using
iptables-save
andip6tables-save
.
Oh, I forgot. Just copied it from my terminal.