LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

docker-ce: make docker-ce firewall handling configurable 

Openwrt has a own firewall service called fw3, that supports firewall zones.
Docker can bypass the handling of the zone rules in openwrt via custom
tables. These are "always" processed before the openwrt firewall.
Which is prone to errors!

Since not everyone is aware that the firewall of openwrt will
not be passed. And this is a security problem because a mapped port is
visible on all interfaces and so also on the WAN side.
If the firewall handling in docker is switched off, then the port in
fw3 must be explicitly released and it cannot happen that the
port is accidentally exported to the outside world via the interfaces on
the WAN zone.

So all rules for the containers should and so must be made in fw3.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
lilik-openwrt-22.03
Florian Eckert 4 years ago
parent
dc9d9d2202
commit
1af5593568
2 changed files with 6 additions and 4 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +5
    -4
      utils/docker-ce/files/dockerd.init
  2. +1
    -0
      utils/docker-ce/files/etc/config/dockerd

+ 5
- 4
utils/docker-ce/files/dockerd.init View File

@ -137,7 +137,7 @@ ucidel() {
}
process_config() {
local alt_config_file data_root log_level bip
local alt_config_file data_root log_level iptables bip
[ -f /etc/config/dockerd ] || {
# Use the daemon default configuration
@ -150,9 +150,6 @@ process_config() {
mkdir -p "${DOCKER_CONF_DIR}"
config_load 'dockerd'
config_list_foreach firewall blocked_interfaces add_docker_firewall_rules
config_get alt_config_file globals alt_config_file
[ -n "${alt_config_file}" ] && [ -f "${alt_config_file}" ] && {
ln -s "${alt_config_file}" "${DOCKERD_CONF}"
@ -161,6 +158,7 @@ process_config() {
config_get data_root globals data_root "/opt/docker/"
config_get log_level globals log_level "warn"
config_get_bool iptables globals iptables "1"
config_get bip globals bip ""
. /usr/share/libubox/jshn.sh
@ -175,6 +173,9 @@ process_config() {
config_list_foreach globals hosts json_add_array_string
json_close_array
json_add_boolean iptables "${iptables}"
[ "${iptables}" -ne "0" ] && config_foreach iptables_add_blocking_rule firewall
json_dump > "${DOCKERD_CONF}"
uciupdate "${bip}"


+ 1
- 0
utils/docker-ce/files/etc/config/dockerd View File

@ -9,6 +9,7 @@ config globals 'globals'
option log_level "warn"
list hosts "unix:///var/run/docker.sock"
option bip "172.18.0.1/24"
# option iptables "0"
# list registry_mirrors "https://<my-docker-mirror-host>"
# list registry_mirrors "https://hub.docker.com"


Write Preview
Loading…
Cancel
Save