search

moby / libnetwork

networking for containers
Apache License 2.0
2.15k stars 880 forks source link

Favoring "iptables-legacy" on Debian Sid causes iptables rules inconsistency #2331

Open TheCatFelix opened 5 years ago

TheCatFelix commented 5 years ago

Description of Issue/Question

Debian Sid (Unstable) uses iptables-nft by default now to provide /sbin/iptables and still provides a /usr/sbin/iptables-legacy for compatibility. Recent change in docker package that was released into Debian Sid on 1/17/2019 forces docker to favor iptables-legacy binary over the "default" iptables. This causes "normal" iptables rules to show up under iptables -S and docker’s rules only under iptables-legacy -S

Specific impact in my setup was inconsistent iptables configuration and the docker container could not initiate outgoing connections any more.

Setup

I recently upgraded docker package in Debian:

Which on the Debian side has the following change log: https://tracker.debian.org/news/1021701/accepted-dockerio-18061dfsg1-3-source-all-amd64-into-unstable/

Which seems to introduce the following docker commit: https://github.com/docker/libnetwork/commit/7da66eea9f68e4abc83ed2892114ec565eddd66a#diff-b90cadcd0928c1e490272f4761a52bac

Checking in the Debian source repo confirms the suspicion: docker.io 18.06.1+dfsg1-2 https://sources.debian.org/src/docker.io/18.06.1+dfsg1-2/libnetwork/iptables/iptables.go/

docker.io 18.06.1+dfsg1-3 https://sources.debian.org/src/docker.io/18.06.1+dfsg1-3/libnetwork/iptables/iptables.go/

Workaround

When forcing the system to default to iptables-legacy, all rules will show up under iptables-legacy. In my case, the container was then able to initiate outgoing connections again

update-alternatives --set iptables /usr/sbin/iptables-legacy

Logs and other Evidence

18.06.1+dfsg1-2:

root@debian:/home/test# dpkg -l |grep docker.io
ii  docker.io                        18.06.1+dfsg1-2              amd64        Linux container runtime
ii  python3-docker                   3.4.1-4                      all          Python 3 wrapper to access docker.io's control socket
root@debian:/home/test# /sbin/iptables -A INPUT -s 15.15.15.51 -j DROP
root@debian:/home/test# /sbin/iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-USER
-N DOCKER-ISOLATION-STAGE-2
-A INPUT -s 15.15.15.51/32 -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8200 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-USER -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
root@debian:/home/test# /usr/sbin/iptables-legacy -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
root@debian:/home/test# update-alternatives --display iptables
iptables - auto mode
  link best version is /usr/sbin/iptables-nft
  link currently points to /usr/sbin/iptables-nft
  link iptables is /usr/sbin/iptables
  slave iptables-restore is /usr/sbin/iptables-restore
  slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-legacy - priority 10
  slave iptables-restore: /usr/sbin/iptables-legacy-restore
  slave iptables-save: /usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft - priority 20
  slave iptables-restore: /usr/sbin/iptables-nft-restore
  slave iptables-save: /usr/sbin/iptables-nft-save
root@debian:/home/test#

18.06.1+dfsg1-3:

root@debian:/home/test# dpkg -l |grep docker.io
ii  docker.io                        18.06.1+dfsg1-3              amd64        Linux container runtime
ii  python3-docker                   3.4.1-4                      all          Python 3 wrapper to access docker.io's control socket
root@debian:/home/test# /sbin/iptables -A INPUT -s 15.15.15.51 -j DROP
root@debian:/home/test# /sbin/iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 15.15.15.51/32 -j DROP
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@debian:/home/test# /usr/sbin/iptables-legacy -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8200 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
root@debian:/home/test# update-alternatives --display iptables
iptables - auto mode
  link best version is /usr/sbin/iptables-nft
  link currently points to /usr/sbin/iptables-nft
  link iptables is /usr/sbin/iptables
  slave iptables-restore is /usr/sbin/iptables-restore
  slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-legacy - priority 10
  slave iptables-restore: /usr/sbin/iptables-legacy-restore
  slave iptables-save: /usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft - priority 20
  slave iptables-restore: /usr/sbin/iptables-nft-restore
  slave iptables-save: /usr/sbin/iptables-nft-save
root@debian:/home/test#
racke commented 5 years ago

Same thing happened to be. Workaround alleviates the problem.

vespian commented 5 years ago

+1

qingling128 commented 4 years ago

+1

artfulrobot commented 4 years ago

Related https://github.com/firehol/firehol/issues/422