Bug#930302: installing and starting docker changes iptables FORWARD policy, breaking unrelated things

Mon, 10 Jun 2019 04:15:35 -0700 

Control: forcemerge 865975 -1

I looked at the bug list of docker.io, found it's already reported at #865975

docker did this intentionally, and also metioned this behaviour in its
chanelog(in src engine/CHANGELOG.md, not in /usr/share/doc)

* Change the default `FORWARD` policy to `DROP`
[#28257](https://github.com/docker/docker/pull/28257)

And please note that this change is since docker 1.13.0(2017-01-18).

in #865975, people has already palyed with the bug severity, and I
don't think it's worth playing again this time.

On Mon, Jun 10, 2019 at 4:38 PM Jonathan Dowland <j...@debian.org> wrote:
>
> clone 903635 -1
> retitle -1 installing and starting docker changes iptables FORWARD policy, 
> breaking unrelated things
> severity 903635 important
> found 903635 18.09.1+dfsg1-7
> found -1 18.09.1+dfsg1-7
> thanks
>
> On Mon, Jun 10, 2019 at 01:27:45AM +0800, Shengjing Zhu wrote:
> >Could you provide more info about "changed my FORWARD chain policy to
> >DROP"?
>
> In a fresh test Buster installation. Before:
>
> > # iptables -L | grep FORWARD
> > Chain FORWARD (policy ACCEPT)
> > # dpkg -l docker.io
> > # dpkg-query: no packages found matching docker.io
> > # apt install -y docker.io
>
> After
>
> > # iptables -L | grep FORWARD
> > Chain FORWARD (policy ACCEPT)
> > # systemctl start docker
> > # iptables -L | grep FORWARD
> > Chain FORWARD (policy DROP)
>
> So: Installing (*and* starting) Docker, with no other configuration steps
> performed by the user, changes the FORWARD table policy, which breaks e.g.
> any running VMs on the host.
>
> >I set add `"iptables": false` to `/etc/docker/daemon.json`. Then reboot
> >my laptop. Then run `iptables-save`.
>
> Setting that does stop this from happening, yes. If this was the package
> default that would resolve the issue I have.
>
> But that would not address the original filer's issue (unnecessary chain
> DOCKER-USER creation, which I can reproduce). I should have filed a separate
> issue really, sorry. I've cloned now.
>
>
> --
>
> ⢀⣴⠾⠻⢶⣦⠀
> ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
> ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
> ⠈⠳⣄⠀⠀⠀⠀



-- 
Shengjing Zhu

Reply via email to