libnet/d/bridge: port mappings: drop direct-access when gw_mode=nat

mirror of https://github.com/moby/moby.git synced 2026-01-11 18:51:37 +00:00

When a NAT-based port mapping is created, the daemon adds a DNAT rule in
nat-DOCKER to replace the dest addr with the container IP. However, the
daemon never sets up rules to filter packets destined directly to the
container port. This allows a rogue neighbor (ie. a host that shares a
L2 segment with the host) to send packets directly to the container on
its container-side exposed port.

For instance, if container port 5000 is mapped to host port 6000, a
neighbor could send packets directly to the container on its port 5000.

Since nat-DOCKER mangles the dest addr, and the nat table forbids DROP
rules, this change adds a new rule in the raw-PREROUTING chain to filter
ingress connections targeting the container's IP address.

This filtering is only done when gw_mode=nat. For the unprotected
variant, no filtering is done.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>

This commit is contained in:

Albin Kerouanton

2025-01-22 08:42:37 +01:00

parent 8474153e13

commit 27adcd596b

9 changed files with 314 additions and 11 deletions

									
										1

Dockerfile
									
												View File
												
				@@ -542,6 +542,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \

				            libprotobuf-c1 \

				            libyajl2 \

				            net-tools \

				            netcat-openbsd \

				            patch \

				            pigz \

				            sudo \

libnet/d/bridge: port mappings: drop direct-access when gw_mode=nat

1 Dockerfile Unescape Escape View File

1

Dockerfile

View File