docker-proxy accepts connections before NAT rules are set up #47951
Labels
area/networking/portmapping
area/networking
kind/bug
Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed.
status/0-triage
Description
Tracking review comment #47871 (comment)
#47871 means the
docker-proxy
process is started before NAT rules are set up.That ensures the daemon doesn't trample iptables rules for a port that's already in-use by some other process, but it leaves a window in which
docker-proxy
may accept connections that it would not see once the NAT rules are in place. Those connections will be doomed, and eventually reset.From discussion in today's networking maintainers call (@corhere, @akerouanton) - the plan is to bind the socket in the daemon, to make sure it's reserved and available, set up the iptables rules, then pass the socket to a modified
docker-proxy
(which can start accepting connections straight away).The
dummyProxy
can then be eliminated, because all it does is bind the socket.The text was updated successfully, but these errors were encountered: