Browse Source

docker-ce: make docker-ce firewall handling configurable

Openwrt has a own firewall service called fw3, that supports firewall zones.
Docker can bypass the handling of the zone rules in openwrt via custom
tables. These are "always" processed before the openwrt firewall.
Which is prone to errors!

Since not everyone is aware that the firewall of openwrt will
not be passed. And this is a security problem because a mapped port is
visible on all interfaces and so also on the WAN side.
If the firewall handling in docker is switched off, then the port in
fw3 must be explicitly released and it cannot happen that the
port is accidentally exported to the outside world via the interfaces on
the WAN zone.

So all rules for the containers should and so must be made in fw3.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
lilik-openwrt-22.03
Florian Eckert 4 years ago
parent
commit
1af5593568
2 changed files with 6 additions and 4 deletions
  1. +5
    -4
      utils/docker-ce/files/dockerd.init
  2. +1
    -0
      utils/docker-ce/files/etc/config/dockerd

+ 5
- 4
utils/docker-ce/files/dockerd.init View File

@ -137,7 +137,7 @@ ucidel() {
}
process_config() {
local alt_config_file data_root log_level bip
local alt_config_file data_root log_level iptables bip
[ -f /etc/config/dockerd ] || {
# Use the daemon default configuration
@ -150,9 +150,6 @@ process_config() {
mkdir -p "${DOCKER_CONF_DIR}"
config_load 'dockerd'
config_list_foreach firewall blocked_interfaces add_docker_firewall_rules
config_get alt_config_file globals alt_config_file
[ -n "${alt_config_file}" ] && [ -f "${alt_config_file}" ] && {
ln -s "${alt_config_file}" "${DOCKERD_CONF}"
@ -161,6 +158,7 @@ process_config() {
config_get data_root globals data_root "/opt/docker/"
config_get log_level globals log_level "warn"
config_get_bool iptables globals iptables "1"
config_get bip globals bip ""
. /usr/share/libubox/jshn.sh
@ -175,6 +173,9 @@ process_config() {
config_list_foreach globals hosts json_add_array_string
json_close_array
json_add_boolean iptables "${iptables}"
[ "${iptables}" -ne "0" ] && config_foreach iptables_add_blocking_rule firewall
json_dump > "${DOCKERD_CONF}"
uciupdate "${bip}"


+ 1
- 0
utils/docker-ce/files/etc/config/dockerd View File

@ -9,6 +9,7 @@ config globals 'globals'
option log_level "warn"
list hosts "unix:///var/run/docker.sock"
option bip "172.18.0.1/24"
# option iptables "0"
# list registry_mirrors "https://<my-docker-mirror-host>"
# list registry_mirrors "https://hub.docker.com"


Loading…
Cancel
Save