I use nftables to set my firewall rules. I typically manually configure the rules myself. Recently, I just happened to dump the ruleset, and, much to my surprise, my config was gone, and it was replaced with an enourmous amount of extremely cryptic firewall rules. After a quick examination of the rules, I found that it was Docker that had modified them. And after some brief research, I found a number of open issues, just like this one, of people complaining about this behaviour. I think it’s an enourmous security risk to have Docker silently do this by default.

I have heard that Podman doesn’t suffer from this issue, as it is daemonless. If that is true, I will certainly be switching from Docker to Podman.

  • N0x0n@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    8 months ago

    Option to disable this behavior would be 100x better then current, but what do I know lol

    Prevent docker from manipulating iptables

    Don’t know what it’s actually doing, I’m just learning how to work with nftables, but I saved that link in case oneday I want to manage the iptables rules myself :)

    • Auli@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      Good luck. Your going to have to change the rules whenever the up address of the container changes.

      • N0x0n@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        edit-2
        8 months ago

        If you are talking about the IP address then just add a static address, no? I do it anyway in my docker compose:

        ...
            networks:
              traefik.net:
                ipv4_address: 10.10.10.99
        
        networks:
            traefik.net:
              name: traefik-net
              external: true
        

        I’m not an expert so maybe I’m wrong, if so do not hesitate to correct me !

        EDIT: If the IP address doesn’t change, you do not need to change to routing and iptables/nftables rules. ??