Control: severity -1 critical * Alban Browaeys <pra...@yahoo.com> [171022 00:01]: > The FORWARD chain policy is set to DROP by docker since 1.13.
HUH??? Since when is it okay for software that is not advertised as firewall software to modify the sysadmin's implicit or explicit iptables setup for IP packets completely unrelated to said software? I understand that this is a non-trivial problem because of the history behind /proc/sys/net/ipv4/ip_forward and the FORWARD chain, but docker can and needs to do better. My first approximation would be to only change the policy for FORWARD if ip_forward was 0 before docker added its own iptables rules. This will probably work 99.9% of the time. The current behavior appears to break other software 100% of the time if that software relies on ip_forward being 1 and the FORWARD chain being in its default state. * Dmitry Smirnov <only...@debian.org> [180607 09:31]: > I'm lowering severity of this bug since it is not clear how to reproduce the > problem and because networking is not broken for everyone... I'm raising this back to critical (makes unrelated software on the system break), as I cannot fathom how this could not be broken for anyone using KVM with a bridging network interface unless they have found one of the workarounds given in this thread (i.e. the /etc/docker/daemon.json modification, or manually modifying the FORWARD chain). The following should reliably reproduce the problem (disclaimer: I haven't gone back to a clean system and tried this from the start, but I have been using virt-manager for a while, and installing docker.io immediately broke networking on my VMs): * Ensure dockerd is not running and iptables is empty and in its default state (FORWARD chain policy is ACCEPT). * Install virt-manager. * Create a virtual machine with a bridging virtual network interface (e.g. for network source choose "Bridge br0: Host device ens3" where ens3 is the host's wired interface to the LAN). * Ensure networking on the VM works correctly (to the LAN or beyond), and that FORWARD chain still has POLICY ACCEPT. * Start dockerd. The VM's networking to the LAN or beyond (but not to the host machine) will now be broken. Another scenario that I expect to reliably fail is machine A with two wired NIC's, one connected to the LAN and the other connected directly to isolated machine B (e.g. a Raspberry Pi). The connection between A and B could be USB networking. Ensure: * The LAN gateway has a route to B via A. (Using a different /24 between A and B is recommended here.) * Machine A has ip_forward set to 1, and empty, default FORWARD chain. * Machine A has a route to B. * Machine B can reach outside the LAN. I would be extremely surprised if installing docker.io did not break this scenario for machine B. ...Marvin
