1216891 – double firewall

Bug 1216891 - double firewall

Summary: double firewall

Status:	NEW

Alias:	None

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.5
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Aleksa Sarai
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-05 13:33 UTC by Michal Suchanek
Modified:	2023-11-13 11:57 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michal Suchanek 2023-11-05 13:33:19 UTC

Firewall is set in both iptables and nftables. This is redundant. Pick one.

# iptables-save 
# Generated by iptables-save v1.8.7 on Sun Nov  5 14:30:42 2023
*nat
:PREROUTING ACCEPT [217231:48706812]
:INPUT ACCEPT [1:48]
:OUTPUT ACCEPT [814131:93972345]
:POSTROUTING ACCEPT [814119:93971380]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sun Nov  5 14:30:42 2023
# Generated by iptables-save v1.8.7 on Sun Nov  5 14:30:42 2023
*filter
:INPUT ACCEPT [25468857:40620632003]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [18681314:3846987776]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Nov  5 14:30:42 2023
# nft list ruleset
table inet firewalld {
	chain raw_PREROUTING {
		type filter hook prerouting priority raw + 10; policy accept;
		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
		meta nfproto ipv6 fib saddr . iif oif missing drop
	}

	chain mangle_PREROUTING {
		type filter hook prerouting priority mangle + 10; policy accept;
		jump mangle_PREROUTING_POLICIES_pre
		jump mangle_PREROUTING_ZONES
		jump mangle_PREROUTING_POLICIES_post
	}

	chain mangle_PREROUTING_POLICIES_pre {
		jump mangle_PRE_policy_allow-host-ipv6
	}

	chain mangle_PREROUTING_ZONES {
		iifname "wlan0" goto mangle_PRE_public
		iifname "docker0" goto mangle_PRE_docker
		iifname "eth0" goto mangle_PRE_public
		goto mangle_PRE_public
	}

	chain mangle_PREROUTING_POLICIES_post {
	}

	chain filter_INPUT {
		type filter hook input priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		jump filter_INPUT_POLICIES_pre
		jump filter_INPUT_ZONES
		jump filter_INPUT_POLICIES_post
		ct state { invalid } drop
		reject with icmpx type admin-prohibited
	}

	chain filter_FORWARD {
		type filter hook forward priority filter + 10; policy accept;
		ct state { established, related } accept
		ct status dnat accept
		iifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
		jump filter_FORWARD_POLICIES_pre
		jump filter_FORWARD_IN_ZONES
		jump filter_FORWARD_OUT_ZONES
		jump filter_FORWARD_POLICIES_post
		ct state { invalid } drop
		reject with icmpx type admin-prohibited
	}

	chain filter_OUTPUT {
		type filter hook output priority filter + 10; policy accept;
		oifname "lo" accept
		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
		jump filter_OUTPUT_POLICIES_pre
		jump filter_OUTPUT_POLICIES_post
	}

	chain filter_INPUT_POLICIES_pre {
		jump filter_IN_policy_allow-host-ipv6
	}

	chain filter_INPUT_ZONES {
		iifname "wlan0" goto filter_IN_public
		iifname "docker0" goto filter_IN_docker
		iifname "eth0" goto filter_IN_public
		goto filter_IN_public
	}

	chain filter_INPUT_POLICIES_post {
	}

	chain filter_FORWARD_POLICIES_pre {
	}

	chain filter_FORWARD_IN_ZONES {
		iifname "wlan0" goto filter_FWDI_public
		iifname "docker0" goto filter_FWDI_docker
		iifname "eth0" goto filter_FWDI_public
		goto filter_FWDI_public
	}

	chain filter_FORWARD_OUT_ZONES {
		oifname "wlan0" goto filter_FWDO_public
		oifname "docker0" goto filter_FWDO_docker
		oifname "eth0" goto filter_FWDO_public
		goto filter_FWDO_public
	}

	chain filter_FORWARD_POLICIES_post {
	}

	chain filter_OUTPUT_POLICIES_pre {
	}

	chain filter_OUTPUT_POLICIES_post {
	}

	chain filter_IN_docker {
		jump filter_IN_docker_pre
		jump filter_IN_docker_log
		jump filter_IN_docker_deny
		jump filter_IN_docker_allow
		jump filter_IN_docker_post
		accept
	}

	chain filter_IN_docker_pre {
	}

	chain filter_IN_docker_log {
	}

	chain filter_IN_docker_deny {
	}

	chain filter_IN_docker_allow {
	}

	chain filter_IN_docker_post {
	}

	chain filter_FWDO_docker {
		jump filter_FWDO_docker_pre
		jump filter_FWDO_docker_log
		jump filter_FWDO_docker_deny
		jump filter_FWDO_docker_allow
		jump filter_FWDO_docker_post
		accept
	}

	chain filter_FWDO_docker_pre {
	}

	chain filter_FWDO_docker_log {
	}

	chain filter_FWDO_docker_deny {
	}

	chain filter_FWDO_docker_allow {
	}

	chain filter_FWDO_docker_post {
	}

	chain filter_FWDI_docker {
		jump filter_FWDI_docker_pre
		jump filter_FWDI_docker_log
		jump filter_FWDI_docker_deny
		jump filter_FWDI_docker_allow
		jump filter_FWDI_docker_post
		accept
	}

	chain filter_FWDI_docker_pre {
	}

	chain filter_FWDI_docker_log {
	}

	chain filter_FWDI_docker_deny {
	}

	chain filter_FWDI_docker_allow {
	}

	chain filter_FWDI_docker_post {
	}

	chain mangle_PRE_docker {
		jump mangle_PRE_docker_pre
		jump mangle_PRE_docker_log
		jump mangle_PRE_docker_deny
		jump mangle_PRE_docker_allow
		jump mangle_PRE_docker_post
	}

	chain mangle_PRE_docker_pre {
	}

	chain mangle_PRE_docker_log {
	}

	chain mangle_PRE_docker_deny {
	}

	chain mangle_PRE_docker_allow {
	}

	chain mangle_PRE_docker_post {
	}

	chain filter_IN_public {
		jump filter_IN_public_pre
		jump filter_IN_public_log
		jump filter_IN_public_deny
		jump filter_IN_public_allow
		jump filter_IN_public_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_IN_public_pre {
	}

	chain filter_IN_public_log {
	}

	chain filter_IN_public_deny {
	}

	chain filter_IN_public_allow {
		tcp dport 22 ct state { new, untracked } accept
		ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
	}

	chain filter_IN_public_post {
	}

	chain filter_FWDO_public {
		jump filter_FWDO_public_pre
		jump filter_FWDO_public_log
		jump filter_FWDO_public_deny
		jump filter_FWDO_public_allow
		jump filter_FWDO_public_post
	}

	chain filter_FWDO_public_pre {
	}

	chain filter_FWDO_public_log {
	}

	chain filter_FWDO_public_deny {
	}

	chain filter_FWDO_public_allow {
	}

	chain filter_FWDO_public_post {
	}

	chain filter_FWDI_public {
		jump filter_FWDI_public_pre
		jump filter_FWDI_public_log
		jump filter_FWDI_public_deny
		jump filter_FWDI_public_allow
		jump filter_FWDI_public_post
		meta l4proto { icmp, ipv6-icmp } accept
	}

	chain filter_FWDI_public_pre {
	}

	chain filter_FWDI_public_log {
	}

	chain filter_FWDI_public_deny {
	}

	chain filter_FWDI_public_allow {
	}

	chain filter_FWDI_public_post {
	}

	chain mangle_PRE_public {
		jump mangle_PRE_public_pre
		jump mangle_PRE_public_log
		jump mangle_PRE_public_deny
		jump mangle_PRE_public_allow
		jump mangle_PRE_public_post
	}

	chain mangle_PRE_public_pre {
	}

	chain mangle_PRE_public_log {
	}

	chain mangle_PRE_public_deny {
	}

	chain mangle_PRE_public_allow {
	}

	chain mangle_PRE_public_post {
	}

	chain filter_IN_policy_allow-host-ipv6 {
		jump filter_IN_policy_allow-host-ipv6_pre
		jump filter_IN_policy_allow-host-ipv6_log
		jump filter_IN_policy_allow-host-ipv6_deny
		jump filter_IN_policy_allow-host-ipv6_allow
		jump filter_IN_policy_allow-host-ipv6_post
	}

	chain filter_IN_policy_allow-host-ipv6_pre {
	}

	chain filter_IN_policy_allow-host-ipv6_log {
	}

	chain filter_IN_policy_allow-host-ipv6_deny {
	}

	chain filter_IN_policy_allow-host-ipv6_allow {
		icmpv6 type nd-neighbor-advert accept
		icmpv6 type nd-neighbor-solicit accept
		icmpv6 type nd-router-advert accept
		icmpv6 type nd-redirect accept
	}

	chain filter_IN_policy_allow-host-ipv6_post {
	}

	chain mangle_PRE_policy_allow-host-ipv6 {
		jump mangle_PRE_policy_allow-host-ipv6_pre
		jump mangle_PRE_policy_allow-host-ipv6_log
		jump mangle_PRE_policy_allow-host-ipv6_deny
		jump mangle_PRE_policy_allow-host-ipv6_allow
		jump mangle_PRE_policy_allow-host-ipv6_post
	}

	chain mangle_PRE_policy_allow-host-ipv6_pre {
	}

	chain mangle_PRE_policy_allow-host-ipv6_log {
	}

	chain mangle_PRE_policy_allow-host-ipv6_deny {
	}

	chain mangle_PRE_policy_allow-host-ipv6_allow {
	}

	chain mangle_PRE_policy_allow-host-ipv6_post {
	}
}
table ip firewalld {
	chain nat_PREROUTING {
		type nat hook prerouting priority dstnat + 10; policy accept;
		jump nat_PREROUTING_POLICIES_pre
		jump nat_PREROUTING_ZONES
		jump nat_PREROUTING_POLICIES_post
	}

	chain nat_PREROUTING_POLICIES_pre {
		jump nat_PRE_policy_allow-host-ipv6
	}

	chain nat_PREROUTING_ZONES {
		iifname "wlan0" goto nat_PRE_public
		iifname "docker0" goto nat_PRE_docker
		iifname "eth0" goto nat_PRE_public
		goto nat_PRE_public
	}

	chain nat_PREROUTING_POLICIES_post {
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority srcnat + 10; policy accept;
		jump nat_POSTROUTING_POLICIES_pre
		jump nat_POSTROUTING_ZONES
		jump nat_POSTROUTING_POLICIES_post
	}

	chain nat_POSTROUTING_POLICIES_pre {
	}

	chain nat_POSTROUTING_ZONES {
		oifname "wlan0" goto nat_POST_public
		oifname "docker0" goto nat_POST_docker
		oifname "eth0" goto nat_POST_public
		goto nat_POST_public
	}

	chain nat_POSTROUTING_POLICIES_post {
	}

	chain nat_POST_docker {
		jump nat_POST_docker_pre
		jump nat_POST_docker_log
		jump nat_POST_docker_deny
		jump nat_POST_docker_allow
		jump nat_POST_docker_post
	}

	chain nat_POST_docker_pre {
	}

	chain nat_POST_docker_log {
	}

	chain nat_POST_docker_deny {
	}

	chain nat_POST_docker_allow {
	}

	chain nat_POST_docker_post {
	}

	chain nat_PRE_docker {
		jump nat_PRE_docker_pre
		jump nat_PRE_docker_log
		jump nat_PRE_docker_deny
		jump nat_PRE_docker_allow
		jump nat_PRE_docker_post
	}

	chain nat_PRE_docker_pre {
	}

	chain nat_PRE_docker_log {
	}

	chain nat_PRE_docker_deny {
	}

	chain nat_PRE_docker_allow {
	}

	chain nat_PRE_docker_post {
	}

	chain nat_POST_public {
		jump nat_POST_public_pre
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
		jump nat_POST_public_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}

	chain nat_PRE_public {
		jump nat_PRE_public_pre
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
		jump nat_PRE_public_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain nat_PRE_policy_allow-host-ipv6 {
		jump nat_PRE_policy_allow-host-ipv6_pre
		jump nat_PRE_policy_allow-host-ipv6_log
		jump nat_PRE_policy_allow-host-ipv6_deny
		jump nat_PRE_policy_allow-host-ipv6_allow
		jump nat_PRE_policy_allow-host-ipv6_post
	}

	chain nat_PRE_policy_allow-host-ipv6_pre {
	}

	chain nat_PRE_policy_allow-host-ipv6_log {
	}

	chain nat_PRE_policy_allow-host-ipv6_deny {
	}

	chain nat_PRE_policy_allow-host-ipv6_allow {
	}

	chain nat_PRE_policy_allow-host-ipv6_post {
	}
}
table ip6 firewalld {
	chain nat_PREROUTING {
		type nat hook prerouting priority dstnat + 10; policy accept;
		jump nat_PREROUTING_POLICIES_pre
		jump nat_PREROUTING_ZONES
		jump nat_PREROUTING_POLICIES_post
	}

	chain nat_PREROUTING_POLICIES_pre {
		jump nat_PRE_policy_allow-host-ipv6
	}

	chain nat_PREROUTING_ZONES {
		iifname "wlan0" goto nat_PRE_public
		iifname "docker0" goto nat_PRE_docker
		iifname "eth0" goto nat_PRE_public
		goto nat_PRE_public
	}

	chain nat_PREROUTING_POLICIES_post {
	}

	chain nat_POSTROUTING {
		type nat hook postrouting priority srcnat + 10; policy accept;
		jump nat_POSTROUTING_POLICIES_pre
		jump nat_POSTROUTING_ZONES
		jump nat_POSTROUTING_POLICIES_post
	}

	chain nat_POSTROUTING_POLICIES_pre {
	}

	chain nat_POSTROUTING_ZONES {
		oifname "wlan0" goto nat_POST_public
		oifname "docker0" goto nat_POST_docker
		oifname "eth0" goto nat_POST_public
		goto nat_POST_public
	}

	chain nat_POSTROUTING_POLICIES_post {
	}

	chain nat_POST_docker {
		jump nat_POST_docker_pre
		jump nat_POST_docker_log
		jump nat_POST_docker_deny
		jump nat_POST_docker_allow
		jump nat_POST_docker_post
	}

	chain nat_POST_docker_pre {
	}

	chain nat_POST_docker_log {
	}

	chain nat_POST_docker_deny {
	}

	chain nat_POST_docker_allow {
	}

	chain nat_POST_docker_post {
	}

	chain nat_PRE_docker {
		jump nat_PRE_docker_pre
		jump nat_PRE_docker_log
		jump nat_PRE_docker_deny
		jump nat_PRE_docker_allow
		jump nat_PRE_docker_post
	}

	chain nat_PRE_docker_pre {
	}

	chain nat_PRE_docker_log {
	}

	chain nat_PRE_docker_deny {
	}

	chain nat_PRE_docker_allow {
	}

	chain nat_PRE_docker_post {
	}

	chain nat_POST_public {
		jump nat_POST_public_pre
		jump nat_POST_public_log
		jump nat_POST_public_deny
		jump nat_POST_public_allow
		jump nat_POST_public_post
	}

	chain nat_POST_public_pre {
	}

	chain nat_POST_public_log {
	}

	chain nat_POST_public_deny {
	}

	chain nat_POST_public_allow {
	}

	chain nat_POST_public_post {
	}

	chain nat_PRE_public {
		jump nat_PRE_public_pre
		jump nat_PRE_public_log
		jump nat_PRE_public_deny
		jump nat_PRE_public_allow
		jump nat_PRE_public_post
	}

	chain nat_PRE_public_pre {
	}

	chain nat_PRE_public_log {
	}

	chain nat_PRE_public_deny {
	}

	chain nat_PRE_public_allow {
	}

	chain nat_PRE_public_post {
	}

	chain nat_PRE_policy_allow-host-ipv6 {
		jump nat_PRE_policy_allow-host-ipv6_pre
		jump nat_PRE_policy_allow-host-ipv6_log
		jump nat_PRE_policy_allow-host-ipv6_deny
		jump nat_PRE_policy_allow-host-ipv6_allow
		jump nat_PRE_policy_allow-host-ipv6_post
	}

	chain nat_PRE_policy_allow-host-ipv6_pre {
	}

	chain nat_PRE_policy_allow-host-ipv6_log {
	}

	chain nat_PRE_policy_allow-host-ipv6_deny {
	}

	chain nat_PRE_policy_allow-host-ipv6_allow {
	}

	chain nat_PRE_policy_allow-host-ipv6_post {
	}
}

Comment 1 Marcus Meissner 2023-11-13 11:57:35 UTC

iptables rules seem to be injected by docker itself.

nftables ones are from firewalld.


Docker has code to use firewalld when present, so it should do this.