Don't skip DNAT for a routed network without userland-proxy #49577
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
343c364 to
e49e7e2
Compare
vvoland
reviewed
Mar 7, 2025
Comment on lines
589
to
611
| for _, ipamCfg := range insp.IPAM.Config { | ||
| url := "http://" + net.JoinHostPort(ipamCfg.Gateway, "8080") | ||
| res := container.RunAttach(ctx, t, c, | ||
| container.WithNetworkMode(routedNetName), | ||
| container.WithCmd("wget", "-O-", "-T3", url), | ||
| ) | ||
| if tc.expResponse { | ||
| // 404 Not Found means the server responded, but it's got nothing to serve. | ||
| assert.Check(t, is.Contains(res.Stderr.String(), "404 Not Found"), "url: %s", url) | ||
| } else { | ||
| assert.Check(t, is.Contains(res.Stderr.String(), "download timed out"), "url: %s", url) | ||
| } | ||
| } |
If the userland-proxy is running, packets from one bridge network addressed to the host port are not DNAT'd - so that docker-proxy can pick them up, and therefore the packet bypasses the network isolation rules. Without the userland-proxy, there's no way for a packet from one bridge network to bypass the network isolation rules. So, in this case, DNAT is not skipped - and that at-least allows packets originating from the network that published the port to access the host port. Commit 0546d90 improved support for routed mode networks (allowing nat-mode networks access to containers in routed-mode networks, as well as just remote access). That commit changed the "SKIP DNAT" logic, making sure DNAT was skipped for a routed-mode network if the userland-proxy was enabled (so, containers in routed mode networks could access ports published by other networks). But, it still skipped DNAT for a routed mode network if the userland proxy was disabled - packets from the routed mode network aimed at any other network would be dropped by the network isolation rules anyway, and containers in a routed mode network don't need access to ports published from that network (because, by definition, there can't be any). However, network isolation rules can be worked-around with a rule in the DOCKER-USER chain, but the SKIP DNAT rule is 8000 harder to deal with. So, for routed-mode, only skip DNAT if the userland-proxy is enabled (just like nat-mode networks). Signed-off-by: Rob Murray <rob.murray@docker.com>
e49e7e2 to
4d8cff7
Compare
vvoland
approved these changes
Mar 11, 2025
akerouanton
approved these changes
Mar 13, 2025
| // If the userland proxy is disabled, don't skip, so packets will be DNAT'd. That will | ||
| // enable access to ports published by containers in the same network. But, the INC rules | ||
| // will block access to that published port from containers in other networks. (However, | ||
| // users may add a rule to DOCKER-USER to work around the INC rules if needed.) |
There was a problem hiding this comment.
As shared privately, it'd be best to not require users to mess with their DOCKER-USER chain to enable that use-case. But, as you pointed out, it's too much risk for a patch release, and probably not worth implementing in iptables.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
gateway_mode=routed#49509If the userland-proxy is running, packets from one bridge network addressed to the host port are not DNAT'd - so that docker-proxy can pick them up, and therefore the packet bypasses the network isolation rules.
Without the userland-proxy, there's no way for a packet from one bridge network to bypass the network isolation rules. So, in this case, DNAT is not skipped - and that at-least allows packets originating from the network that published the port to access the host port.
Commit 0546d90 improved support for routed mode networks (allowing nat-mode networks access to containers in routed-mode networks, as well as just remote access).
That commit changed the "SKIP DNAT" logic, making sure DNAT was skipped for a routed-mode network if the userland-proxy was enabled (so, containers in routed mode networks could access ports published by other networks).
But, it still skipped DNAT for a routed mode network if the userland proxy was disabled - packets from the routed mode network aimed at any other network would be dropped by the network isolation rules anyway, and containers in a routed mode network don't need access to ports published from that network (because, by definition, there can't be any).
However, network isolation rules can be worked-around with a rule in the DOCKER-USER chain, but the SKIP DNAT rule is harder to deal with.
- How I did it
For routed-mode, only skip DNAT if the userland-proxy is enabled (just like nat-mode networks).
- How to verify it
New regression test.
< 8000 strong>- Human readable description for the release notes