You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
when docker is launched, if the DOCKER-USER chain already exists, the jump DOCKER-USER rule is not inserted into the FORWARD chain, which results in the firewall "failing open".
this is potentially very hazardous from a security perspective. all that is required for this to happen is for a iptables/nftables "save" to contain the DOCKER-USER chain, and for the restore service to start before docker is started.
logrus.Warnf("Failed to create %s chain: %v", userChain, err)
one potential fix is to insert the jump even if the chain already exists, though in this case it may also be important to also always insert the return to the DOCKER-USER chain as well if it isn't already there.
The text was updated successfully, but these errors were encountered:
when docker is launched, if the
DOCKER-USERchain already exists, thejump DOCKER-USERrule is not inserted into theFORWARDchain, which results in the firewall "failing open".this is potentially very hazardous from a security perspective. all that is required for this to happen is for a iptables/nftables "save" to contain the
DOCKER-USERchain, and for the restore service to start before docker is started.the culprit code is here:
libnetwork/firewall_linux.go
Line 33 in b350742
one potential fix is to insert the
jumpeven if the chain already exists, though in this case it may also be important to also always insert thereturnto theDOCKER-USERchain as well if it isn't already there.The text was updated successfully, but these errors were encountered: