|
Bugzilla – Full Text Bug Listing |
| Summary: | double firewall | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | Michal Suchanek <msuchanek> |
| Component: | Security | Assignee: | Aleksa Sarai <asarai> |
| Status: | NEW --- | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | ||
| Version: | Leap 15.5 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
iptables rules seem to be injected by docker itself. nftables ones are from firewalld. Docker has code to use firewalld when present, so it should do this. |
Firewall is set in both iptables and nftables. This is redundant. Pick one. # iptables-save # Generated by iptables-save v1.8.7 on Sun Nov 5 14:30:42 2023 *nat :PREROUTING ACCEPT [217231:48706812] :INPUT ACCEPT [1:48] :OUTPUT ACCEPT [814131:93972345] :POSTROUTING ACCEPT [814119:93971380] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A DOCKER -i docker0 -j RETURN COMMIT # Completed on Sun Nov 5 14:30:42 2023 # Generated by iptables-save v1.8.7 on Sun Nov 5 14:30:42 2023 *filter :INPUT ACCEPT [25468857:40620632003] :FORWARD DROP [0:0] :OUTPUT ACCEPT [18681314:3846987776] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Sun Nov 5 14:30:42 2023 # nft list ruleset table inet firewalld { chain raw_PREROUTING { type filter hook prerouting priority raw + 10; policy accept; icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept meta nfproto ipv6 fib saddr . iif oif missing drop } chain mangle_PREROUTING { type filter hook prerouting priority mangle + 10; policy accept; jump mangle_PREROUTING_POLICIES_pre jump mangle_PREROUTING_ZONES jump mangle_PREROUTING_POLICIES_post } chain mangle_PREROUTING_POLICIES_pre { jump mangle_PRE_policy_allow-host-ipv6 } chain mangle_PREROUTING_ZONES { iifname "wlan0" goto mangle_PRE_public iifname "docker0" goto mangle_PRE_docker iifname "eth0" goto mangle_PRE_public goto mangle_PRE_public } chain mangle_PREROUTING_POLICIES_post { } chain filter_INPUT { type filter hook input priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept jump filter_INPUT_POLICIES_pre jump filter_INPUT_ZONES jump filter_INPUT_POLICIES_post ct state { invalid } drop reject with icmpx type admin-prohibited } chain filter_FORWARD { type filter hook forward priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable jump filter_FORWARD_POLICIES_pre jump filter_FORWARD_IN_ZONES jump filter_FORWARD_OUT_ZONES jump filter_FORWARD_POLICIES_post ct state { invalid } drop reject with icmpx type admin-prohibited } chain filter_OUTPUT { type filter hook output priority filter + 10; policy accept; oifname "lo" accept ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable jump filter_OUTPUT_POLICIES_pre jump filter_OUTPUT_POLICIES_post } chain filter_INPUT_POLICIES_pre { jump filter_IN_policy_allow-host-ipv6 } chain filter_INPUT_ZONES { iifname "wlan0" goto filter_IN_public iifname "docker0" goto filter_IN_docker iifname "eth0" goto filter_IN_public goto filter_IN_public } chain filter_INPUT_POLICIES_post { } chain filter_FORWARD_POLICIES_pre { } chain filter_FORWARD_IN_ZONES { iifname "wlan0" goto filter_FWDI_public iifname "docker0" goto filter_FWDI_docker iifname "eth0" goto filter_FWDI_public goto filter_FWDI_public } chain filter_FORWARD_OUT_ZONES { oifname "wlan0" goto filter_FWDO_public oifname "docker0" goto filter_FWDO_docker oifname "eth0" goto filter_FWDO_public goto filter_FWDO_public } chain filter_FORWARD_POLICIES_post { } chain filter_OUTPUT_POLICIES_pre { } chain filter_OUTPUT_POLICIES_post { } chain filter_IN_docker { jump filter_IN_docker_pre jump filter_IN_docker_log jump filter_IN_docker_deny jump filter_IN_docker_allow jump filter_IN_docker_post accept } chain filter_IN_docker_pre { } chain filter_IN_docker_log { } chain filter_IN_docker_deny { } chain filter_IN_docker_allow { } chain filter_IN_docker_post { } chain filter_FWDO_docker { jump filter_FWDO_docker_pre jump filter_FWDO_docker_log jump filter_FWDO_docker_deny jump filter_FWDO_docker_allow jump filter_FWDO_docker_post accept } chain filter_FWDO_docker_pre { } chain filter_FWDO_docker_log { } chain filter_FWDO_docker_deny { } chain filter_FWDO_docker_allow { } chain filter_FWDO_docker_post { } chain filter_FWDI_docker { jump filter_FWDI_docker_pre jump filter_FWDI_docker_log jump filter_FWDI_docker_deny jump filter_FWDI_docker_allow jump filter_FWDI_docker_post accept } chain filter_FWDI_docker_pre { } chain filter_FWDI_docker_log { } chain filter_FWDI_docker_deny { } chain filter_FWDI_docker_allow { } chain filter_FWDI_docker_post { } chain mangle_PRE_docker { jump mangle_PRE_docker_pre jump mangle_PRE_docker_log jump mangle_PRE_docker_deny jump mangle_PRE_docker_allow jump mangle_PRE_docker_post } chain mangle_PRE_docker_pre { } chain mangle_PRE_docker_log { } chain mangle_PRE_docker_deny { } chain mangle_PRE_docker_allow { } chain mangle_PRE_docker_post { } chain filter_IN_public { jump filter_IN_public_pre jump filter_IN_public_log jump filter_IN_public_deny jump filter_IN_public_allow jump filter_IN_public_post meta l4proto { icmp, ipv6-icmp } accept } chain filter_IN_public_pre { } chain filter_IN_public_log { } chain filter_IN_public_deny { } chain filter_IN_public_allow { tcp dport 22 ct state { new, untracked } accept ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept } chain filter_IN_public_post { } chain filter_FWDO_public { jump filter_FWDO_public_pre jump filter_FWDO_public_log jump filter_FWDO_public_deny jump filter_FWDO_public_allow jump filter_FWDO_public_post } chain filter_FWDO_public_pre { } chain filter_FWDO_public_log { } chain filter_FWDO_public_deny { } chain filter_FWDO_public_allow { } chain filter_FWDO_public_post { } chain filter_FWDI_public { jump filter_FWDI_public_pre jump filter_FWDI_public_log jump filter_FWDI_public_deny jump filter_FWDI_public_allow jump filter_FWDI_public_post meta l4proto { icmp, ipv6-icmp } accept } chain filter_FWDI_public_pre { } chain filter_FWDI_public_log { } chain filter_FWDI_public_deny { } chain filter_FWDI_public_allow { } chain filter_FWDI_public_post { } chain mangle_PRE_public { jump mangle_PRE_public_pre jump mangle_PRE_public_log jump mangle_PRE_public_deny jump mangle_PRE_public_allow jump mangle_PRE_public_post } chain mangle_PRE_public_pre { } chain mangle_PRE_public_log { } chain mangle_PRE_public_deny { } chain mangle_PRE_public_allow { } chain mangle_PRE_public_post { } chain filter_IN_policy_allow-host-ipv6 { jump filter_IN_policy_allow-host-ipv6_pre jump filter_IN_policy_allow-host-ipv6_log jump filter_IN_policy_allow-host-ipv6_deny jump filter_IN_policy_allow-host-ipv6_allow jump filter_IN_policy_allow-host-ipv6_post } chain filter_IN_policy_allow-host-ipv6_pre { } chain filter_IN_policy_allow-host-ipv6_log { } chain filter_IN_policy_allow-host-ipv6_deny { } chain filter_IN_policy_allow-host-ipv6_allow { icmpv6 type nd-neighbor-advert accept icmpv6 type nd-neighbor-solicit accept icmpv6 type nd-router-advert accept icmpv6 type nd-redirect accept } chain filter_IN_policy_allow-host-ipv6_post { } chain mangle_PRE_policy_allow-host-ipv6 { jump mangle_PRE_policy_allow-host-ipv6_pre jump mangle_PRE_policy_allow-host-ipv6_log jump mangle_PRE_policy_allow-host-ipv6_deny jump mangle_PRE_policy_allow-host-ipv6_allow jump mangle_PRE_policy_allow-host-ipv6_post } chain mangle_PRE_policy_allow-host-ipv6_pre { } chain mangle_PRE_policy_allow-host-ipv6_log { } chain mangle_PRE_policy_allow-host-ipv6_deny { } chain mangle_PRE_policy_allow-host-ipv6_allow { } chain mangle_PRE_policy_allow-host-ipv6_post { } } table ip firewalld { chain nat_PREROUTING { type nat hook prerouting priority dstnat + 10; policy accept; jump nat_PREROUTING_POLICIES_pre jump nat_PREROUTING_ZONES jump nat_PREROUTING_POLICIES_post } chain nat_PREROUTING_POLICIES_pre { jump nat_PRE_policy_allow-host-ipv6 } chain nat_PREROUTING_ZONES { iifname "wlan0" goto nat_PRE_public iifname "docker0" goto nat_PRE_docker iifname "eth0" goto nat_PRE_public goto nat_PRE_public } chain nat_PREROUTING_POLICIES_post { } chain nat_POSTROUTING { type nat hook postrouting priority srcnat + 10; policy accept; jump nat_POSTROUTING_POLICIES_pre jump nat_POSTROUTING_ZONES jump nat_POSTROUTING_POLICIES_post } chain nat_POSTROUTING_POLICIES_pre { } chain nat_POSTROUTING_ZONES { oifname "wlan0" goto nat_POST_public oifname "docker0" goto nat_POST_docker oifname "eth0" goto nat_POST_public goto nat_POST_public } chain nat_POSTROUTING_POLICIES_post { } chain nat_POST_docker { jump nat_POST_docker_pre jump nat_POST_docker_log jump nat_POST_docker_deny jump nat_POST_docker_allow jump nat_POST_docker_post } chain nat_POST_docker_pre { } chain nat_POST_docker_log { } chain nat_POST_docker_deny { } chain nat_POST_docker_allow { } chain nat_POST_docker_post { } chain nat_PRE_docker { jump nat_PRE_docker_pre jump nat_PRE_docker_log jump nat_PRE_docker_deny jump nat_PRE_docker_allow jump nat_PRE_docker_post } chain nat_PRE_docker_pre { } chain nat_PRE_docker_log { } chain nat_PRE_docker_deny { } chain nat_PRE_docker_allow { } chain nat_PRE_docker_post { } chain nat_POST_public { jump nat_POST_public_pre jump nat_POST_public_log jump nat_POST_public_deny jump nat_POST_public_allow jump nat_POST_public_post } chain nat_POST_public_pre { } chain nat_POST_public_log { } chain nat_POST_public_deny { } chain nat_POST_public_allow { } chain nat_POST_public_post { } chain nat_PRE_public { jump nat_PRE_public_pre jump nat_PRE_public_log jump nat_PRE_public_deny jump nat_PRE_public_allow jump nat_PRE_public_post } chain nat_PRE_public_pre { } chain nat_PRE_public_log { } chain nat_PRE_public_deny { } chain nat_PRE_public_allow { } chain nat_PRE_public_post { } chain nat_PRE_policy_allow-host-ipv6 { jump nat_PRE_policy_allow-host-ipv6_pre jump nat_PRE_policy_allow-host-ipv6_log jump nat_PRE_policy_allow-host-ipv6_deny jump nat_PRE_policy_allow-host-ipv6_allow jump nat_PRE_policy_allow-host-ipv6_post } chain nat_PRE_policy_allow-host-ipv6_pre { } chain nat_PRE_policy_allow-host-ipv6_log { } chain nat_PRE_policy_allow-host-ipv6_deny { } chain nat_PRE_policy_allow-host-ipv6_allow { } chain nat_PRE_policy_allow-host-ipv6_post { } } table ip6 firewalld { chain nat_PREROUTING { type nat hook prerouting priority dstnat + 10; policy accept; jump nat_PREROUTING_POLICIES_pre jump nat_PREROUTING_ZONES jump nat_PREROUTING_POLICIES_post } chain nat_PREROUTING_POLICIES_pre { jump nat_PRE_policy_allow-host-ipv6 } chain nat_PREROUTING_ZONES { iifname "wlan0" goto nat_PRE_public iifname "docker0" goto nat_PRE_docker iifname "eth0" goto nat_PRE_public goto nat_PRE_public } chain nat_PREROUTING_POLICIES_post { } chain nat_POSTROUTING { type nat hook postrouting priority srcnat + 10; policy accept; jump nat_POSTROUTING_POLICIES_pre jump nat_POSTROUTING_ZONES jump nat_POSTROUTING_POLICIES_post } chain nat_POSTROUTING_POLICIES_pre { } chain nat_POSTROUTING_ZONES { oifname "wlan0" goto nat_POST_public oifname "docker0" goto nat_POST_docker oifname "eth0" goto nat_POST_public goto nat_POST_public } chain nat_POSTROUTING_POLICIES_post { } chain nat_POST_docker { jump nat_POST_docker_pre jump nat_POST_docker_log jump nat_POST_docker_deny jump nat_POST_docker_allow jump nat_POST_docker_post } chain nat_POST_docker_pre { } chain nat_POST_docker_log { } chain nat_POST_docker_deny { } chain nat_POST_docker_allow { } chain nat_POST_docker_post { } chain nat_PRE_docker { jump nat_PRE_docker_pre jump nat_PRE_docker_log jump nat_PRE_docker_deny jump nat_PRE_docker_allow jump nat_PRE_docker_post } chain nat_PRE_docker_pre { } chain nat_PRE_docker_log { } chain nat_PRE_docker_deny { } chain nat_PRE_docker_allow { } chain nat_PRE_docker_post { } chain nat_POST_public { jump nat_POST_public_pre jump nat_POST_public_log jump nat_POST_public_deny jump nat_POST_public_allow jump nat_POST_public_post } chain nat_POST_public_pre { } chain nat_POST_public_log { } chain nat_POST_public_deny { } chain nat_POST_public_allow { } chain nat_POST_public_post { } chain nat_PRE_public { jump nat_PRE_public_pre jump nat_PRE_public_log jump nat_PRE_public_deny jump nat_PRE_public_allow jump nat_PRE_public_post } chain nat_PRE_public_pre { } chain nat_PRE_public_log { } chain nat_PRE_public_deny { } chain nat_PRE_public_allow { } chain nat_PRE_public_post { } chain nat_PRE_policy_allow-host-ipv6 { jump nat_PRE_policy_allow-host-ipv6_pre jump nat_PRE_policy_allow-host-ipv6_log jump nat_PRE_policy_allow-host-ipv6_deny jump nat_PRE_policy_allow-host-ipv6_allow jump nat_PRE_policy_allow-host-ipv6_post } chain nat_PRE_policy_allow-host-ipv6_pre { } chain nat_PRE_policy_allow-host-ipv6_log { } chain nat_PRE_policy_allow-host-ipv6_deny { } chain nat_PRE_policy_allow-host-ipv6_allow { } chain nat_PRE_policy_allow-host-ipv6_post { } }