search

openwrt / packages

Community maintained packages for OpenWrt. Documentation for submitting pull requests is in CONTRIBUTING.md
GNU General Public License v2.0
3.88k stars 3.4k forks source link

dockerd: Configuration in nftables breaks IPv6 routing #24492

Open Fail-Safe opened 3 days ago

Fail-Safe commented 3 days ago

Maintainer: @G-M0N3Y-2503 Environment:

root@OpenWrt:~# cat /etc/os-release | grep OPENWRT
OPENWRT_BOARD="x86/64"
OPENWRT_ARCH="x86_64"
OPENWRT_TAINTS="no-all busybox"
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt SNAPSHOT r26816-55bda9863d"

root@OpenWrt:~# docker --version
Docker version 27.0.2, build 912c1dd

Description:

When the dockerd service starts (or restarts) it adds the following configuration to the nft ruleset:

table ip6 nat {
    chain DOCKER {
    }
}
table ip6 filter {
    chain FORWARD {
        type filter hook forward priority filter; policy drop;
        counter packets 308 bytes 34270 jump DOCKER-USER
    }

    chain DOCKER-USER {
        counter packets 695 bytes 87813 return
    }

    chain DOCKER {
    }

    chain DOCKER-ISOLATION-STAGE-1 {
        iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
        counter packets 0 bytes 0 return
    }

    chain DOCKER-ISOLATION-STAGE-2 {
        oifname "docker0" counter packets 0 bytes 0 drop
        counter packets 0 bytes 0 return
    }
}

This breaks IPv6 forwarding/routing from all of my client subnets on my OpenWrt box. Also, the OpenWrt web UI indicates "Legacy rules detected" in the Firewall section while the above rules are in the ruleset.

To restore IPv6 functionality for my client subnets, I have to run /etc/init.d/firewall stop && /etc/init.d/firewall start. After stop & start of the firewall service, the above rules are no longer in the nftables ruleset and IPv6 again works properly for my clients.

Is there a configuration option in my dockerd config that is incorrect or missing? Or is this a bug?

root@OpenWrt:~# cat /etc/config/dockerd

config globals 'globals'
    option data_root '/opt/docker/'
    option log_level 'warn'
    option iptables '0'
    option remote_endpoint '0'

config firewall 'firewall'
    option device 'docker0'
    list blocked_interfaces 'wan'
brada4 commented 2 days ago 
ubus call system board

What made you think routing is affected?

Fail-Safe commented 2 days ago 
root@OpenWrt:~# ubus call system board
{
    "kernel": "6.6.35",
    "hostname": "OpenWrt",
    "system": "Intel(R) N100",
    "model": "AZW EQ",
    "board_name": "azw-eq",
    "rootfs_type": "ext4",
    "release": {
        "distribution": "OpenWrt",
        "version": "SNAPSHOT",
        "revision": "r26816-55bda9863d",
        "target": "x86/64",
        "description": "OpenWrt SNAPSHOT r26816-55bda9863d"
    }
}

I'm not definitively saying routing was affected. But I could successfully ping6 the IPv6 LL address of my OpenWrt gateway (the box I provided details for above) from my client hosts. But I could not ping6 any IPv6 hops beyond this gateway while the ruleset statements in my OP were in place. As soon as I stopped and then restarted the firewall service, thus removing that ruleset, I could immediately regain IPv6 connectivity through the gateway to internet hosts.

G-M0N3Y-2503 commented 2 days ago

Looks like this issue is the root cause https://github.com/openwrt/packages/issues/17766

brada4 commented 2 days ago

iptables-nft-save and ip6tables-nft-save are needed along with full nft list ruleset Current exerpts do not list source of compat warning or forward chain defaulting to drop packets. EDIT: there is a slim hope issue can be fixed changing one or two dependencies