Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

Docker 1.13 defaults IP forwarding to DROP #2758

Closed
bboreham opened this issue Jan 31, 2017 · 3 comments
Closed

Docker 1.13 defaults IP forwarding to DROP #2758

bboreham opened this issue Jan 31, 2017 · 3 comments
Assignees
@brb
Labels
bug
Milestone
2.1

Comments

@bboreham
Copy link
Contributor

This change is in moby/moby#28257. Effects include "pod-to-pod traffic works but pod to Internet does not". It will probably also break most uses of weave expose.

Docker add these rules:

-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT

so we could do something similar for the weave bridge. It needs to take into account the weave-npc rules which already cover traffic onto the weave bridge (if enabled).
@bboreham bboreham added the bug label Jan 31, 2017
This was referenced Jan 31, 2017
Closed
Merged
@bboreham bboreham added this to the 1.9.0 milestone Feb 1, 2017
@bboreham bboreham self-assigned this Feb 1, 2017
@bboreham
Copy link
Contributor Author

bboreham commented Feb 2, 2017

Re-opening because I don't think the rules I added will allow a connection in. See kubernetes/kubernetes#40182 (comment)

@bboreham bboreham reopened this Feb 2, 2017
@bboreham bboreham modified the milestones: 1.9.1, 1.9.0 Feb 2, 2017
@bboreham bboreham modified the milestones: 1.9.1, 1.9.2 Feb 27, 2017
@brb brb modified the milestones: 1.9.2, 1.9.3 Mar 1, 2017
@marccarre marccarre modified the milestones: 1.9.3, 1.9.4 Mar 7, 2017
@bboreham
Copy link
Contributor Author

bboreham commented Apr 4, 2017

Kubernetes has maintained the line that they don't support Docker 1.13.
#2762 appears to have fixed the non-Kubernetes cases.

@bboreham bboreham removed this from the 1.9.4 milestone Apr 4, 2017
@brb
Copy link
Contributor

brb commented Jul 4, 2017

This (= default DROP policy for the FORWARD chain of the filter table) breaks the awsvpc mode as well.

@brb brb assigned brb and unassigned bboreham Jul 7, 2017
@brb brb mentioned this issue Sep 17, 2017
Merged
@Dbzman Dbzman mentioned this issue Oct 20, 2017
Closed
@bboreham bboreham added this to the 2.1 milestone Nov 14, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@brb brb

Labels
bug
Projects
None yet
Milestone
2.1
Development

No branches or pull requests
3 participants
@brb @marccarre @bboreham