Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

docker-ce: make docker-ce firewall handling configurable

Browse source 
Openwrt has a own firewall service called fw3, that supports firewall zones.
Docker can bypass the handling of the zone rules in openwrt via custom
tables. These are "always" processed before the openwrt firewall.
Which is prone to errors!

Since not everyone is aware that the firewall of openwrt will
not be passed. And this is a security problem because a mapped port is
visible on all interfaces and so also on the WAN side.
If the firewall handling in docker is switched off, then the port in
fw3 must be explicitly released and it cannot happen that the
port is accidentally exported to the outside world via the interfaces on
the WAN zone.

So all rules for the containers should and so must be made in fw3.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This commit is contained in:
Florian Eckert 2020-11-11 13:34:39 +01:00
parent dc9d9d2202
commit 1af5593568
2 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
utils/docker-ce/files/dockerd.init
View file

@ -137,7 +137,7 @@ ucidel() {
} }
process_config() { process_config() {
local alt_config_file data_root log_level bip local alt_config_file data_root log_level iptables bip
[ -f /etc/config/dockerd ] || { [ -f /etc/config/dockerd ] || {
# Use the daemon default configuration # Use the daemon default configuration
@ -150,9 +150,6 @@ process_config() {
mkdir -p "${DOCKER_CONF_DIR}" mkdir -p "${DOCKER_CONF_DIR}"
config_load 'dockerd' config_load 'dockerd'
config_list_foreach firewall blocked_interfaces add_docker_firewall_rules
config_get alt_config_file globals alt_config_file config_get alt_config_file globals alt_config_file
[ -n "${alt_config_file}" ] && [ -f "${alt_config_file}" ] && { [ -n "${alt_config_file}" ] && [ -f "${alt_config_file}" ] && {
ln -s "${alt_config_file}" "${DOCKERD_CONF}" ln -s "${alt_config_file}" "${DOCKERD_CONF}"
@ -161,6 +158,7 @@ process_config() {
config_get data_root globals data_root "/opt/docker/" config_get data_root globals data_root "/opt/docker/"
config_get log_level globals log_level "warn" config_get log_level globals log_level "warn"
config_get_bool iptables globals iptables "1"
config_get bip globals bip "" config_get bip globals bip ""
. /usr/share/libubox/jshn.sh . /usr/share/libubox/jshn.sh
@ -175,6 +173,9 @@ process_config() {
config_list_foreach globals hosts json_add_array_string config_list_foreach globals hosts json_add_array_string
json_close_array json_close_array
json_add_boolean iptables "${iptables}"
[ "${iptables}" -ne "0" ] && config_foreach iptables_add_blocking_rule firewall
json_dump > "${DOCKERD_CONF}" json_dump > "${DOCKERD_CONF}"
uciupdate "${bip}" uciupdate "${bip}"

1
utils/docker-ce/files/etc/config/dockerd
View file

@ -9,6 +9,7 @@ config globals 'globals'
option log_level "warn" option log_level "warn"
list hosts "unix:///var/run/docker.sock" list hosts "unix:///var/run/docker.sock"
option bip "172.18.0.1/24" option bip "172.18.0.1/24"
# option iptables "0"
# list registry_mirrors "https://<my-docker-mirror-host>" # list registry_mirrors "https://<my-docker-mirror-host>"
# list registry_mirrors "https://hub.docker.com" # list registry_mirrors "https://hub.docker.com"