http://bugzilla.suse.com/show_bug.cgi?id=1053231 http://bugzilla.suse.com/show_bug.cgi?id=1053231#c17 Valentin Rothberg <vrothberg@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FEATURE --- Comment #17 from Valentin Rothberg <vrothberg@suse.com> --- (In reply to Rossella Sblendido from comment #15)

Docker 1.3 is adding the DROP rule for the FORWARD chain when net.ipv4.ip_forward is disabled [1]. This makes sense to me because if docker enables the ip forwarding, it should "protect" the host at least, otherwise it would exposed the host to vulnerabilities [2]. I don't think we need to prevent docker from adding the DROP rule if ip forwarding was not enabled, maybe we should just document to enable net.ipv4.ip_forward if that's what the user want to do ?

[1] https://github.com/docker/libnetwork/pull/1526 [2] https://github.com/moby/moby/issues/14041

I agree with Rossella. To summarize: - By default, the Docker daemon will change the FORWARD chain to be dropped. This default makes sense from a security point of view. - To pro-actively avoid that from happening, the `--iptables=false` option can be used. This is already mentioned in the official Docs at https://docs.docker.com/network/iptables/#prevent-docker-from-manipulating-i.... - To change the situation after the fact, the FORWARD chain can be set via `iptables -A FORWARD ACCEPT`. My conclusion is that, although the issue can be annoying in specific setups, it is a sane default, which can be changed via the official `--iptables=false` daemon flag. Therefore, I am closing the bug. Feel free to re-open if you feel differently. -- You are receiving this mail because: You are on the CC list for the bug.