Internal network rules for IPv6 not working?
chris42 opened this issue · comments
Hi there,
i just moved a few container into a new internal network (created with --internal) and would have expected to see the isolation rules to be created analog to IPv4
IPv4
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DROP all -- !192.168.5.0/24 anywhere
DROP all -- anywhere !192.168.5.0/24
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
However the ip6tables show no such rule?
IPv6
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DROP all anywhere anywhere
DROP all anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all anywhere anywhere
RETURN all anywhere anywhere
Huh, no one has this problem as well?
@bephinix, do you have an idea?
@chris42 Can you post your output for iptables -nvL and ip6tables -nvL?
I am running Docker-IPv6NAT Version 0.4.2 and created an internal network:
sudo docker network create \
-d bridge \
--ipv6 \
--subnet 172.30.123.0/24 \
--subnet fddd:0:0:123::/64 \
--internal \
-o "com.docker.network.bridge.enable_icc=true" \
-o "com.docker.network.bridge.enable_ip_masquerade=false" \
-o "com.docker.network.bridge.name=dckrTest" \
dckrTestIPv4 Tables Docker
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * dckrTest !172.30.123.0/24 0.0.0.0/0
0 0 DROP all -- dckrTest * 0.0.0.0/0 !172.30.123.0/24
13474 787K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
6201K 145G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
13487 788K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
6201K 145G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
IPv6 Tables Docker
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all !dckrTest dckrTest ::/0 ::/0
0 0 DROP all dckrTest !dckrTest ::/0 ::/0
0 0 DOCKER-ISOLATION-STAGE-2 all docker0 !docker0 ::/0 ::/0
0 0 RETURN all * * ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * docker0 ::/0 ::/0
0 0 RETURN all * * ::/0 ::/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all * * ::/0 ::/0
It seems, that the IPv4 rules are slightly different than the IPv6 rules, but they act the same.
We can fix this but it seems not critical to me.
if network.internal {
return &Ruleset{
// internal: drop traffic to docker network from foreign subnet
// notice: rule is different from IPv4 counterpart because NDP should not be blocked
NewPrependRule(TableFilter, ChainDockerIsolation1,
"!", "-s", network.subnet.String(),
"-o", network.bridge,
"-j", "DROP"),
// internal: drop traffic from docker network to foreign subnet
// notice: rule is different from IPv4 counterpart because NDP should not be blocked
NewPrependRule(TableFilter, ChainDockerIsolation1,
"!", "-d", network.subnet.String(),
"-i", network.bridge,
"-j", "DROP"),
// ICC
NewRule(TableFilter, ChainForward,
"-i", network.bridge,
"-o", network.bridge,
"-j", iccAction),
}
}Update: This difference is intended, because we should not block NDP traffic.
This would break the internal IPv6 network.
Ok, -nvL shows something there.
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-6399b9d7ef02 !192.168.5.0/24 0.0.0.0/0
0 0 DROP all -- br-6399b9d7ef02 * 0.0.0.0/0 !192.168.5.0/24
1144K 1121M DOCKER-ISOLATION-STAGE-2 all -- br-08e6fee45fc7 !br-08e6fee45fc7 0.0.0.0/0 0.0.0.0/0
3227K 1497M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-08e6fee45fc7 0.0.0.0/0 0.0.0.0/0
1144K 1121M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
ipv6:
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all docker0 !docker0 ::/0 ::/0
0 0 DROP all !br-6399b9d7ef02 br-6399b9d7ef02 ::/0 ::/0
0 0 DROP all br-6399b9d7ef02 !br-6399b9d7ef02 ::/0 ::/0
560K 693M DOCKER-ISOLATION-STAGE-2 all br-08e6fee45fc7 !br-08e6fee45fc7 ::/0 ::/0
1964K 1111M RETURN all * * ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * docker0 ::/0 ::/0
0 0 DROP all * br-08e6fee45fc7 ::/0 ::/0
560K 693M RETURN all * * ::/0 ::/0
Ah, you are blocking the interface, not the iprange as it is done in ipv4?!
@chris42 Correct. You cannot use IPv6 subnets, because this will block NDP and link local address which leads to a non functional network.
Thanks for clearing that up @bephinix! I guess this one can be closed as it's functioning as intended?
@robbertkl That's correct. 🚀
Ok, Thanks!