Univention Bugzilla – Full Text Bug Listing |
Summary: | External IP routing does not work for docker guests if univention-firewall is stopped | ||
---|---|---|---|
Product: | UCS | Reporter: | Sönke Schwardt-Krummrich <schwardt> |
Component: | Docker | Assignee: | App Center maintainers <appcenter-maintainers> |
Status: | RESOLVED WONTFIX | QA Contact: | |
Severity: | normal | ||
Priority: | P5 | CC: | brodersen, troeder |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-x | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=42698 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 2: Improvement: Would be a product improvement |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.046 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | 38307, 39773 | ||
Bug Blocks: |
Description
Sönke Schwardt-Krummrich
2015-10-30 14:01:37 CET
*** Bug 39773 has been marked as a duplicate of this bug. *** A generic solution would be an additional packetfilter.d/ directory with scripts that are called upon firewall shutdown. Other idea: mark all rules added by univention-firewall and in stop() remove only those. add: # iptables -A ..... -m comment --comment "${comment}" -j REQUIRED_ACTION remove with: # iptables-save | grep -v "${comment}" | iptables-restore or # iptables -S | grep "${comment}" | sed 's/^-A //' | while read rule; do iptables -D $rule; done (In reply to Daniel Tröder from comment #3) > Other idea: mark all rules added by univention-firewall and in stop() remove > only those. Not my preferred favorite. Because currently customers can simply stop the firewall and everything is file if they messed something up. Additionally the iptables rules may get extremely faulty (e.g. kill important connections) if the firewall is stopped and only some manually added rules remain. In my tests the stopping of the univention-firewall doesn't stop the network connections TO the containers, because the running docker processes have bound to the forwarded ports and seem to be injecting the packets into the network stack. If the docker processes are killed while the univention-firewall is running, the network is still intact, because now the iptables port-forwardings transport the packets to the containers. Without the docker daemon the univention-firewall will not be able to recreate the docker rules if restarted. But that is a situation unsupported by upstream (and us?). Anyway… the only thing broken when the univention-firewall is stopped, is the containers access to the outside. That is, because although host:/proc/sys/net/ipv4/ip_forward=1, they live in a not-routed private network. If in the host at the end of univention-firewall.stop() masquerading is add, that will be fixed. Index: base/univention-firewall/debian/univention-firewall.init =================================================================== --- base/univention-firewall/debian/univention-firewall.init (Revision 65282) +++ base/univention-firewall/debian/univention-firewall.init (Arbeitskopie) @@ -52,6 +52,7 @@ iptables -F iptables -F -t nat iptables -F -t mangle + iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE ip6tables -P INPUT ACCEPT ip6tables -P OUTPUT ACCEPT IMHO as the stopping of the docker daemon is unsupported this fixes the bug. All the port forwarding for docker apps is done with /etc/security/packetfilter.d/20_docker.sh. If the firewall is disabled (security/packetfilter/disabled=true) most of the apps wont be usable anymore. Maybe could add a way to add "unstoppable" rules to univention-firewall that are geting called even if the firewall is deactivated or gets stopped? (Like in comment 2) This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you. |