Docker service port filters drops packets from containers in the same network

Summary

Usage of docker_service_port_filter on one container results in drops of packets when trying to connect from another linked container in the same network.

Steps to reproduce

Create container/service with docker_service_port_filter.
Create another container with --link option.
Try to send packets from second to the first one.
Observe packet loss.

Expected behavior

Packets between containers in the same network should be sent with no problems.

Actual behavior

Packet are dropped by firewall.

Possible fixes

Change rules to drop anything from sources different than docker0 or br-*. Suggested modifications:

# Add drop to DOCKER-USER if not exist
iptables_ensure \
  filter \
  DOCKER-USER \
  insert \
    ! --in-interface docker0 \
    --out-interface docker0 \
    --match mark \
      --mark 7 \
    --jump DROP

iptables_ensure \
  filter \
  DOCKER-USER \
  insert \
    ! --in-interface br-+ \
    --out-interface br-+ \
    --match mark \
      --mark 7 \
    --jump DROP

Edited Jul 25, 2019 by Krzysztof Babiarz

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information