From 1af559356829cad1ff0977900f7de459ae50a3a6 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Wed, 11 Nov 2020 13:34:39 +0100 Subject: [PATCH] docker-ce: make docker-ce firewall handling configurable Openwrt has a own firewall service called fw3, that supports firewall zones. Docker can bypass the handling of the zone rules in openwrt via custom tables. These are "always" processed before the openwrt firewall. Which is prone to errors! Since not everyone is aware that the firewall of openwrt will not be passed. And this is a security problem because a mapped port is visible on all interfaces and so also on the WAN side. If the firewall handling in docker is switched off, then the port in fw3 must be explicitly released and it cannot happen that the port is accidentally exported to the outside world via the interfaces on the WAN zone. So all rules for the containers should and so must be made in fw3. Signed-off-by: Florian Eckert --- utils/docker-ce/files/dockerd.init | 9 +++++---- utils/docker-ce/files/etc/config/dockerd | 1 + 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/utils/docker-ce/files/dockerd.init b/utils/docker-ce/files/dockerd.init index aae396695..b0878a472 100755 --- a/utils/docker-ce/files/dockerd.init +++ b/utils/docker-ce/files/dockerd.init @@ -137,7 +137,7 @@ ucidel() { } process_config() { - local alt_config_file data_root log_level bip + local alt_config_file data_root log_level iptables bip [ -f /etc/config/dockerd ] || { # Use the daemon default configuration @@ -150,9 +150,6 @@ process_config() { mkdir -p "${DOCKER_CONF_DIR}" config_load 'dockerd' - - config_list_foreach firewall blocked_interfaces add_docker_firewall_rules - config_get alt_config_file globals alt_config_file [ -n "${alt_config_file}" ] && [ -f "${alt_config_file}" ] && { ln -s "${alt_config_file}" "${DOCKERD_CONF}" @@ -161,6 +158,7 @@ process_config() { config_get data_root globals data_root "/opt/docker/" config_get log_level globals log_level "warn" + config_get_bool iptables globals iptables "1" config_get bip globals bip "" . /usr/share/libubox/jshn.sh @@ -175,6 +173,9 @@ process_config() { config_list_foreach globals hosts json_add_array_string json_close_array + json_add_boolean iptables "${iptables}" + [ "${iptables}" -ne "0" ] && config_foreach iptables_add_blocking_rule firewall + json_dump > "${DOCKERD_CONF}" uciupdate "${bip}" diff --git a/utils/docker-ce/files/etc/config/dockerd b/utils/docker-ce/files/etc/config/dockerd index 13d9845c6..d0e39cc9a 100644 --- a/utils/docker-ce/files/etc/config/dockerd +++ b/utils/docker-ce/files/etc/config/dockerd @@ -9,6 +9,7 @@ config globals 'globals' option log_level "warn" list hosts "unix:///var/run/docker.sock" option bip "172.18.0.1/24" +# option iptables "0" # list registry_mirrors "https://" # list registry_mirrors "https://hub.docker.com"