Open
Description
If you run docker with default settings --iptables=true makes it nearly impossible to make custom security settings. I must accept that each container can call everything outside or nothing (--icc=false).
I would suppose to create more chains to allow special options:
- PRE_DOCKER_IN which is registered before the DOCKER and DOCKERISOLATION-chain and used registered at FORWARD -o docker0
- PRE_DOCKER_OUT which is registered before the DOCKER and DOCKERISOLATION-chain and used registered at FORWARD -i docker0
- POST_DOCKER_IN which is registered after the DOCKER and DOCKERISOLATION-chain and used registered at FORWARD -o docker0
- POST_DOCKER_OUT which is registered after the DOCKER and DOCKERISOLATION-chain and used registered at FORWARD -i docker0
after that chains you can add ACCEPT all or DROP all depending on --icc=true|false .
The logic must be if PRE_DOCKER_* oder POST_DOCKER_* exists it will not be created. Docker will not put any rules to the chains. So a normal admin can use them to have full control over the forward chain.
What do you think?