clone 903635 -1 retitle -1 installing and starting docker changes iptables FORWARD policy, breaking unrelated things severity 903635 important found 903635 18.09.1+dfsg1-7 found -1 18.09.1+dfsg1-7 thanks
On Mon, Jun 10, 2019 at 01:27:45AM +0800, Shengjing Zhu wrote:
Could you provide more info about "changed my FORWARD chain policy to DROP"?
In a fresh test Buster installation. Before:
# iptables -L | grep FORWARD Chain FORWARD (policy ACCEPT) # dpkg -l docker.io # dpkg-query: no packages found matching docker.io # apt install -y docker.io
After
# iptables -L | grep FORWARD Chain FORWARD (policy ACCEPT) # systemctl start docker # iptables -L | grep FORWARD Chain FORWARD (policy DROP)
So: Installing (*and* starting) Docker, with no other configuration steps performed by the user, changes the FORWARD table policy, which breaks e.g. any running VMs on the host.
I set add `"iptables": false` to `/etc/docker/daemon.json`. Then reboot my laptop. Then run `iptables-save`.
Setting that does stop this from happening, yes. If this was the package default that would resolve the issue I have. But that would not address the original filer's issue (unnecessary chain DOCKER-USER creation, which I can reproduce). I should have filed a separate issue really, sorry. I've cloned now. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄⠀⠀⠀⠀