On Tue, Feb 21, 2023 at 5:03 PM Per Lundberg <per.lundb...@hibox.tv> wrote: > > Regretfully, this bug is still active and it's trivial to reproduce with > this configuration: > > * apt-get install docker.io (ensure that the docker daemon is running > afterwards. Tested with 20.10.22+dfsg1-2 locally) > * apt-get install lxd (tested with 5.0.1-5) > > Then, "lxc launch ubuntu:22.04" (accepting the defaults for LXD > configuration). Networking will be broken inside the newly created LXD > container. > > The workaround for me is to run "sudo iptables -P FORWARD ACCEPT" after > bootup (and after Docker has started). But I agree with previous > comments; it's EXTREMELY BAD and unacceptable for a program like Docker > to misbehave like this. > > On the LXD side, this has been discussed and is a known issue: > > * > https://discuss.linuxcontainers.org/t/lxd-and-docker-firewall-redux-how-to-deal-with-forward-policy-set-to-drop/9953/9 > * > https://linuxcontainers.org/lxd/docs/master/howto/network_bridge_firewalld/#prevent-issues-with-lxd-and-docker > > (The suggestion given there is to insert firewall rules into the > DOCKER-USER chain.) > > I suggest we would consider patching the Docker package in Debian to > remove the FORWARD DROP nonsense until this has been properly resolved > upstream. We can't have programs that misbehave this badly in the > distribution, IMO.
Please read message#91 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865975#91 and then think about it. If you still think there's a secure patch that we can apply, I'd like to review. -- Shengjing Zhu
