If docker-ce handles the firewall and fw3 is not envolved because the
rules get not proceed, then not only docker0 should be handled but also
other interfaces and therefore other docker networks.
This commit extends the handling and introduces a new uci option
`device` in the docker config firewall section. This can be used to specify
which device is allowed to access the container. Up to now only docker0
is covert.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
As the protocol is set to none, this makes no sense here, as it cannot
be controlled and thus processed by the netifd.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Openwrt has a own firewall service called fw3, that supports firewall zones.
Docker can bypass the handling of the zone rules in openwrt via custom
tables. These are "always" processed before the openwrt firewall.
Which is prone to errors!
Since not everyone is aware that the firewall of openwrt will
not be passed. And this is a security problem because a mapped port is
visible on all interfaces and so also on the WAN side.
If the firewall handling in docker is switched off, then the port in
fw3 must be explicitly released and it cannot happen that the
port is accidentally exported to the outside world via the interfaces on
the WAN zone.
So all rules for the containers should and so must be made in fw3.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Up to now only the docker0 interface and bridge is created by default.
In order to create other interfaces and to integrate them into the
openwrt these functions can now be called with arguments.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This includes security fixes for:
* CVE-2020-28362: panic during recursive division of very large numbers
* CVE-2020-28366: arbitrary code can be injected into cgo generated
files
* CVE-2020-28367: improper validation of cgo flags can lead to remote
code execution at build time
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Upstream commit 90884c62 ("xl2tpd-control refactoring") introduced in
1.3.16 changed command names
The l2tp protocol handler part was from @danvd in pull request
openwrt/packages#13866
Fixes f07319d6 ("xl2tpd: bump to version 1.3.16")
Ref: https://github.com/openwrt/packages/pull/13866
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* blocked_interfaces blocks all packets to docker0 from the given
interface. This is needed because all the iptables commands dockerd
adds operate before any of the fw3 generated rules.
Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
Maintainer: @codemarauder
Compile tested: Yes
Run tested: x86_64 PCEngines APU
Description:
A Tunnel which Improves your Network Quality on a High-latency Lossy Link by using Forward Error Correction,for All Traffics(TCP/UDP/ICMP)
It does it by sending redundant packets and re-arranging them to account for packet loss over the link. It uses Reed–Solomon code.
Signed-off-by: Nishant Sharma <codemarauder@gmail.com>
