Add daemon option --ip-forward-no-drop

The daemon no longer depends on the iptables/ip6tables filter-FORWARD chain's policy being DROP in order to implement its port filtering rules. However, if the daemon enables IP forwarding in the host's system config, by default it will set the policy to DROP to avoid potential security issues for other applications/networks. If docker does need to enable IP forwarding, but other applications on the host require filter-FORWARD's policies to be ACCEPT, this option can be used to tell the daemon to leave the policy unchanged. (Equivalent to enabling IP forwarding before starting the daemon, but without needing to do that.) Signed-off-by: Rob Murray <rob.murray@docker.com>
changsongyang · Nov 11, 2024 · 3cadadb · 3cadadb
1 parent 5823b05
commit 3cadadb
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 23 deletions.
diff --git a/cmd/dockerd/config_unix.go b/cmd/dockerd/config_unix.go
@@ -27,7 +27,8 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) {
 	flags.Var(opts.NewNamedUlimitOpt("default-ulimits", &conf.Ulimits), "default-ulimit", "Default ulimits for containers")
 	flags.BoolVar(&conf.BridgeConfig.EnableIPTables, "iptables", true, "Enable addition of iptables rules")
 	flags.BoolVar(&conf.BridgeConfig.EnableIP6Tables, "ip6tables", true, "Enable addition of ip6tables rules")
-	flags.BoolVar(&conf.BridgeConfig.EnableIPForward, "ip-forward", true, "Enable net.ipv4.ip_forward")
+	flags.BoolVar(&conf.BridgeConfig.EnableIPForward, "ip-forward", true, "Enable IP forwarding in system configuration")
+	flags.BoolVar(&conf.BridgeConfig.DisableFilterForwardDrop, "ip-forward-no-drop", false, "Do not set the filter-FORWARD policy to DROP when enabling IP forwarding")
 	flags.BoolVar(&conf.BridgeConfig.EnableIPMasq, "ip-masq", true, "Enable IP masquerading")
 	flags.BoolVar(&conf.BridgeConfig.EnableIPv6, "ipv6", false, "Enable IPv6 networking")
 	flags.StringVar(&conf.BridgeConfig.IP, "bip", "", "Specify network bridge IP")

diff --git a/daemon/config/config_linux.go b/daemon/config/config_linux.go
@@ -41,12 +41,13 @@ const (
 type BridgeConfig struct {
 	DefaultBridgeConfig
 
-	EnableIPTables      bool   `json:"iptables,omitempty"`
-	EnableIP6Tables     bool   `json:"ip6tables,omitempty"`
-	EnableIPForward     bool   `json:"ip-forward,omitempty"`
-	EnableIPMasq        bool   `json:"ip-masq,omitempty"`
-	EnableUserlandProxy bool   `json:"userland-proxy,omitempty"`
-	UserlandProxyPath   string `json:"userland-proxy-path,omitempty"`
+	EnableIPTables           bool   `json:"iptables,omitempty"`
+	EnableIP6Tables          bool   `json:"ip6tables,omitempty"`
+	EnableIPForward          bool   `json:"ip-forward,omitempty"`
+	DisableFilterForwardDrop bool   `json:"ip-forward-no-drop,omitempty"`
+	EnableIPMasq             bool   `json:"ip-masq,omitempty"`
+	EnableUserlandProxy      bool   `json:"userland-proxy,omitempty"`
+	UserlandProxyPath        string `json:"userland-proxy-path,omitempty"`
 }
 
 // DefaultBridgeConfig stores all the parameters for the default bridge network.

diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
@@ -915,12 +915,13 @@ func setHostGatewayIP(controller *libnetwork.Controller, config *config.Config)
 func driverOptions(config *config.Config) nwconfig.Option {
 	return nwconfig.OptionDriverConfig("bridge", options.Generic{
 		netlabel.GenericData: options.Generic{
-			"EnableIPForwarding":  config.BridgeConfig.EnableIPForward,
-			"EnableIPTables":      config.BridgeConfig.EnableIPTables,
-			"EnableIP6Tables":     config.BridgeConfig.EnableIP6Tables,
-			"EnableUserlandProxy": config.BridgeConfig.EnableUserlandProxy,
-			"UserlandProxyPath":   config.BridgeConfig.UserlandProxyPath,
-			"Rootless":            config.Rootless,
+			"EnableIPForwarding":       config.BridgeConfig.EnableIPForward,
+			"DisableFilterForwardDrop": config.BridgeConfig.DisableFilterForwardDrop,
+			"EnableIPTables":           config.BridgeConfig.EnableIPTables,
+			"EnableIP6Tables":          config.BridgeConfig.EnableIP6Tables,
+			"EnableUserlandProxy":      config.BridgeConfig.EnableUserlandProxy,
+			"UserlandProxyPath":        config.BridgeConfig.UserlandProxyPath,
+			"Rootless":                 config.Rootless,
 		},
 	})
 }

diff --git a/libnetwork/drivers/bridge/bridge_linux.go b/libnetwork/drivers/bridge/bridge_linux.go
@@ -51,12 +51,13 @@ type (
 
 // configuration info for the "bridge" driver.
 type configuration struct {
-	EnableIPForwarding  bool
-	EnableIPTables      bool
-	EnableIP6Tables     bool
-	EnableUserlandProxy bool
-	UserlandProxyPath   string
-	Rootless            bool
+	EnableIPForwarding       bool
+	DisableFilterForwardDrop bool
+	EnableIPTables           bool
+	EnableIP6Tables          bool
+	EnableUserlandProxy      bool
+	UserlandProxyPath        string
+	Rootless                 bool
 }
 
 // networkConfiguration for network specific configuration
@@ -907,12 +908,12 @@ func (d *driver) createNetwork(config *networkConfiguration) (err error) {
 		// Enable IP Forwarding
 		{config.EnableIPv4 && d.config.EnableIPForwarding,
 			func(*networkConfiguration, *bridgeInterface) error {
-				return setupIPv4Forwarding(d.config.EnableIPTables)
+				return setupIPv4Forwarding(d.config.EnableIPTables && !d.config.DisableFilterForwardDrop)
 			},
 		},
 		{config.EnableIPv6 && d.config.EnableIPForwarding,
 			func(*networkConfiguration, *bridgeInterface) error {
-				return setupIPv6Forwarding(d.config.EnableIP6Tables)
+				return setupIPv6Forwarding(d.config.EnableIP6Tables && !d.config.DisableFilterForwardDrop)
 			},
 		},
 

diff --git a/man/dockerd.8.md b/man/dockerd.8.md
@@ -44,6 +44,7 @@ dockerd - Enable daemon mode
 [**--insecure-registry**[=*[]*]]
 [**--ip**[=*0.0.0.0*]]
 [**--ip-forward**[=**true**]]
+[**--ip-forward-no-drop**[=**true**]]
 [**--ip-masq**[=**true**]]
 [**--iptables**[=**true**]]
 [**--ipv6**]
@@ -289,11 +290,20 @@ unix://[/path/to/socket] to use.
   has no effect.
 
   This setting will also enable IPv6 forwarding if you have both
-  **--ip-forward=true** and **--fixed-cidr-v6** set. Note that this may reject
-  Router Advertisements and interfere with the host's existing IPv6
+  **--ip-forward=true** and an IPv6 enabled bridge network. Note that this
+  may reject Router Advertisements and interfere with the host's existing IPv6
   configuration. For more information, consult the documentation about
   "Advanced Networking - IPv6".
 
+**--ip-forward-no-drop**=**true**|**false**
+  When **false**, the default, if Docker enables IP forwarding itself (see
+  **--ip-forward**), and **--iptables** or **--ip6tables** are enabled, it
+  also sets the default policy for the FORWARD chain in the iptables or
+  ip6tables filter table to DROP.
+
+  When **true**, and when IP forwarding is already enabled, Docker does
+  not modify the default policy of the FORWARD chain.
+
 **--ip-masq**=**true**|**false**
   Enable IP masquerading for bridge's IP range. Default is **true**.