InTheForest/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-01-11 18:51:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add daemon option --allow-direct-routing

Browse Source 
Per-network option com.docker.network.bridge.trusted-host-interfaces
accepts a list of interfaces that are allowed to route
directly to a container's published ports in a bridge
network with nat enabled.

This daemon level option disables direct access filtering,
enabling direct access to published ports on container
addresses in all bridge networks, via all host interfaces.

It overlaps with short-term env-var workaround:
  DOCKER_INSECURE_NO_IPTABLES_RAW=1
- it does not allow packets sent from outside the host to reach
  ports published only to 127.0.0.1
- it will outlive iptables (the workaround was initially intended
  for hosts that do not have kernel support for the "raw" iptables
  table).

Signed-off-by: Rob Murray <rob.murray@docker.com>
This commit is contained in:
Rob Murray
2025-04-14 17:59:25 +01:00
parent c16caabe36
commit 44a3453d73
8 changed files with 42 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
man/dockerd.8.md
View File

@@ -415,6 +415,10 @@ unix://[/path/to/socket] to use.
Use TLS and verify the remote (daemon: verify client, client: verify daemon).
Default is **false**.
**--allow-direct-routing**=**true**|**false**
Allow remote access to published ports on container IP addresses.
Default is **false**.
**--userland-proxy**=**true**|**false**
Rely on a userland proxy implementation for inter-container and
outside-to-container loopback communications. Default is **true**.