InTheForest/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-01-11 18:51:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add an opt-out for iptables 'raw' rules

Browse Source 
For kernels that don't have CONFIG_IP_NF_RAW, if the env
var DOCKER_INSECURE_NO_IPTABLES_RAW is set to "1", don't
try to create raw rules.

This means direct routing to published ports is possible
from other hosts on the local network, even if the port
is published to a loopback address.

Signed-off-by: Rob Murray <rob.murray@docker.com>
This commit is contained in:
Rob Murray
2025-03-10 15:48:02 +00:00
parent a1c1340196
commit cf3e42abaf
8 changed files with 97 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
daemon/info_unix.go
View File

@@ -159,6 +159,10 @@ func (daemon *Daemon) fillPlatformInfo(ctx context.Context, v *system.Info, sysI
if !v.IPv4Forwarding {
v.Warnings = append(v.Warnings, "WARNING: IPv4 forwarding is disabled")
}
// Env-var belonging to the bridge driver, disables use of the iptables "raw" table.
if os.Getenv("DOCKER_INSECURE_NO_IPTABLES_RAW") == "1" {
v.Warnings = append(v.Warnings, "WARNING: DOCKER_INSECURE_NO_IPTABLES_RAW is set")
}
return nil
}