On Mon, Jun 17, 2019 at 07:26:04PM +0800, Shengjing Zhu wrote:
Please do think more about this issue. And understand why docker does
this for the security reason.
I understand the security issue. I understand why it does it. But if its
the case that this does break unrelated software, i.e., if the ip_forward
check is not sufficient/is not working (I am still to retest), then we
also have that problem. And it's not clear which is "worse".
And I would argue this is a security issue too, if libvirt enables
ip_forward and does nothing else.
I agree.
They could add a "-j DROP" rule that was scoped specifically to the docker
subnet, after their other (-j ACCEPT) rules. That's just one way that this
could be done less disruptively.
No, because they enabled ip_forward setting.
Sure, but using a -j DROP rule means it's at least theoretically possible
for unrelated software to have its own rules in the forward chain that are
not broken by the chain policy change. Having said that, I'm only sketching
the outline of an alternative solution here; it would need working up into
a proper alternative solution, and I do not have the time to do that.
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.
