Hi,

I checked more carefully on https://github.com/moby/moby/pull/28257
and https://github.com/moby/moby/issues/14041
Then I concluded that docker does nothing wrong in this case.

If you didn't set net.ipv4.ip_forward=1 before starting docker, then
docker will set this for you by default, otherwise the containers
can't access the network. This causes security issue as described in
https://github.com/moby/moby/issues/14041.
So if docker set net.ipv4.ip_forward=1 itself, it will set the default
FORWARD policy to DROP. This looks quite correct.

So when docker will not touch your FORWARD policy? just don't let
docker enable ip_forward itself. You can set net.ipv4.ip_forward=1 in
/etc/sysctl.conf(enable it before starting docker). Then docker will
know that user want the host to forward all traffic and it will touch
your default FORWARD policy.

I've verified it by adding net.ipv4.ip_forward=1 to /etc/sysctl.conf,
then reboot. And my FORWARD policy is ACCEPT.

So as for your VM scenario, why didn't you set ip_forward manually?
How docker know it's not a vulnerability if it didn't set FORWARD
chain to DROP when it enables ip_forward.

-- 
Shengjing Zhu

Reply via email to