[27.x backport] Only enable bridge netfiltering when needed #48511
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Kernel module br_netfilter is loaded when the daemon starts with either iptables or ip6tables enabled. That automatically sets: net.bridge.bridge-nf-call-arptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 So, when: - docker was running happily with iptables=false, and - no explicit ip6tables=false, and - br_netfilter was not loaded ... the change in moby 27.0 to enable ip6tables by default, resulted in net.bridge.bridge-nf-call-iptables being enabled. If the host also had a firewall with default-drop on its forward chain - that resulted in packets getting dropped between containers on a bridge network. So, only try to load br_netfilter when it's needed - it's only needed to implement "--icc=false", which can only be used when iptables or ip6tables is enabled. Signed-off-by: Rob Murray <[email protected]> (cherry picked from commit db25b0d) Signed-off-by: Rob Murray <[email protected]>
renovate bot
added a commit
to earthly/dind
that referenced
this pull request
Sep 23, 2024
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/docker](https://redirect.github.com/docker/docker) | minor | `27.2.1` -> `27.3.1` | --- ### Release Notes <details> <summary>docker/docker (docker/docker)</summary> ### [`v27.3.1`](https://redirect.github.com/moby/moby/releases/tag/v27.3.1) [Compare Source](https://redirect.github.com/docker/docker/compare/v27.3.0-rc.1...v27.3.1) #### 27.3.1 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 27.3.1 milestone](https://redirect.github.com/docker/cli/issues?q=sort%3Aupdated-desc+is%3Aclosed+milestone%3A27.3.1) - [moby/moby, 27.3.1 milestone](https://redirect.github.com/moby/moby/issues?q=sort%3Aupdated-desc+is%3Aclosed+milestone%3A27.3.1) ##### Bug fixes and enhancements - CLI: Fix issue with command execution metrics not being exported due to the CLI MeterProvider being shutdown too early. [docker/cli#5457](https://redirect.github.com/docker/cli/pull/5457) ##### Packaging updates - Update `Compose` to [v2.29.7](https://redirect.github.com/docker/compose/releases/tag/v2.29.7) ### [`v27.3.0`](https://redirect.github.com/moby/moby/releases/tag/v27.3.0) [Compare Source](https://redirect.github.com/docker/docker/compare/v27.2.1...v27.3.0-rc.1) #### 27.3.0 For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones: - [docker/cli, 27.3.0 milestone](https://redirect.github.com/docker/cli/issues?q=sort%3Aupdated-desc+is%3Aclosed+milestone%3A27.3.0) - [moby/moby, 27.3.0 milestone](https://redirect.github.com/moby/moby/issues?q=sort%3Aupdated-desc+is%3Aclosed+milestone%3A27.3.0) ##### Bug fixes and enhancements - containerd image store: Fix `docker image prune -a` untagging images used by containers started from images referenced by a digested reference. [moby/moby#48488](https://redirect.github.com/moby/moby/pull/48488) - Add a `--feature` flag to the daemon options. [moby/moby#48487](https://redirect.github.com/moby/moby/pull/48487) - Updated the handling of the `--gpus=0` flag to be consistent with the NVIDIA Container Runtime. [moby/moby#48483](https://redirect.github.com/moby/moby/pull/48483) [https://github.com/docker/cli/pull/5432](https://redirect.github.com/docker/cli/pull/5432)5432) - Support WSL2 mirrored-mode networking's use of interface `loopback0` for packets from the Windows host. [moby/moby#48514](https://redirect.github.com/moby/moby/pull/48514) - Fix an issue that prevented communication between containers on an IPv4 bridge network when running with `--iptables=false`, `--ip6tables=true` (the default), a firewall with a DROP rule for forwarded packets on hosts where the `br_netfilter` kernel module was not normally loaded. [moby/moby#48511](https://redirect.github.com/moby/moby/pull/48511) - CLI: Fix issue where `docker volume update` command would cause the CLI to panic if no argument/volume was passed. [docker/cli#5426](https://redirect.github.com/docker/cli/pull/5426) - CLI: Properly report metrics when run in WSL environment on Windows. \[[docker/cli#5432](https://redirect.github.com/docker/cli/issues/5432)] ##### Packaging updates - Update `containerd` (static binaries only) to [v1.7.22](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.22) [moby/moby#48468](https://redirect.github.com/moby/moby/pull/48468) - Updated `Buildkit` to [v0.16.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.16.0) - Update `Compose` to [v2.29.6](https://redirect.github.com/docker/compose/releases/tag/v2.29.6) - Update `Buildx` to [v0.17.1](https://redirect.github.com/docker/buildx/releases/tag/v0.17.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6am on monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/earthly/dind). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This was referenced Oct 16, 2024
18 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
- How I did it
Kernel module br_netfilter is loaded when the daemon starts with either iptables or ip6tables enabled. That automatically sets:
So, when:
... the change in moby 27.0 to enable ip6tables by default, resulted in
net.bridge.bridge-nf-call-iptablesbeing enabled, where it wasn't before.If the host also had a firewall with default-drop on its forward chain - that resulted in packets getting dropped between containers on a bridge network.
So, only try to load br_netfilter when it's needed - it's only needed to implement
--icc=false, which only works wheniptables/ip6tablesare enabled.- How to verify it
br_netfilterloaded)."iptables":false, and"ip6tables"left as default.docker network create br4.br4can communicate. For example:docker run --rm -d --name c1 --network br4 nginx; docker run --rm -ti --network br4 alpine wget -O- http://c1br_netfilterhas been loaded,rmmod br_netfilteror reboot to get rid of it.br_netfilterhasn't been loaded.sysctl -a | grep net.bridge.bridge-nf-call.docker network create --ipv6 -o com.docker.network.bridge.enable_icc=false iccf.br_netfilterhas been loaded.- Description for the changelog