docker_service_port_filters block outgoing connections

Summary

docker_service_port_filters block outgoing connections

Steps to reproduce

start container service with docker_service_port_filters on port 80 and 443

Expected behavior

access to container should be filtered
outgoing traffic should not be filtered

Actual behavior

outgoing traffic is filtered

Relevant logs and/or screenshots

N/A

Possible fixes

Add source interface to drop rules

iptables \
  --check DOCKER-USER \
    ! --input docker0 \
    --match mark \
      --mark 7 \
    --jump DROP \
||
  iptables \
    --insert DOCKER-USER \
      ! --input docker0 \
      --match mark \
        --mark 7 \
      --jump DROP

iptables \
  --check DOCKER-USER \
    ! --input br-+ \
    --match mark \
      --mark 7 \
    --jump DROP \
||
  iptables \
    --insert DOCKER-USER \
      ! --input br-+ \
      --match mark \
        --mark 7 \
      --jump DROP

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information