I'm pretty sure we'll find this name confusing some time in the future. Maybe isNATUnprotected would be more explicit?

Or maybe you can introduce a more generic method: func (n *bridgeNetwork) isGwMode(gwm gwMode) bool 🤔

Hmm, yes - I see your point! I think I had routed-unprotected in-mind (which doesn't exist, but might at some point) ... so, this method would return true for *-unprotected.

I'll change it to isGwModeUnprotected.

I think we need to make nat-unprotected the default for existing networks -- only new networks should use nat. At least, that's what it should be for Docker Desktop (and DD doesn't have a way to 'migrate' Docker objects during upgrades).

Noting our discussion here ...

Setting nat-unprotected for existing IPv4 networks would be right if the host had previously been running with the filter-FORWARD chain's policy set to ACCEPT ... which happens when sysctl ip_forward is enabled before the daemon starts.

But, when it's set to DROP, and for IPv6 - only published ports would be exposed. So, we'd silently be making things worse in many cases by defaulting to nat-unprotected.

So, the change to the default nat mode will break a few setups by blocking remote access to unpublished ports, and anyone who's relying on that will have to re-create their networks with the new mode - but, at least it's fail-safe, and this change will block remote access for users (possibly the majority) who hadn't realised those ports were open.

The reason we need an option to explicitly set this for IPv4/IPv6 is that we changed the default for IPv6 already (but not IPv4 for backward-compat), correct?

(Mostly trying to get my head around what's needed to make the overall experience more aligned in future, and possibly reduce some complexity in codepaths)

Defaults haven't changed ... in 27.0 (#47871) we introduced the IPv4 and IPv6 gateway mode options - nat became a new name for the old behaviour, and routed mode was added. The default is still nat for both IPv4 and IPv6.

For IPv4, NAT is normal, so you might want to publish ports to the host. For IPv6, direct routing is preferred and, if you have the routing set up in your network, you might want to disable NAT. So, they're configurable separately.

In 28.0, we're changing the default behaviour (nat mode) by blocking access to unpublished ports from other hosts on the same layer-2 network that have set up a route to the container network ("direct routing"). Previously, these ports were only blocked if the filter-FORWARD chain's default policy was DROP. But, docker only sets to DROP if it enables IP forwarding itself.

The old behaviour for a host with filter-FORWARD policy ACCEPT is used as a feature, so we're adding nat-unprotected as a way to restore the old nat behaviour.

It's possible to use nat-unprotected for IPv6, but its filter-FORWARD policy was always set to DROP when ip6tables was enabled - so the new restrictions in nat mode are less likely to be breaking changes.

Mostly curious; we have so much locking everywhere; do we have good insight what exactly is it synchronising? (was contemplating if it's purely n.config, and if we should have an accessor for that to return it 🤔

Yes, I think it's protecting concurrent access to n.config ... an accessor to fetch a copy of the whole of config might be better - but most of the locking is probably unnecessary because the config won't change once created.

But, when adding new accessors, I'm sticking with the scheme others us - it needs proper review and tidy-up and, for me, the cost of acquiring the mutex is outweighed by the risk of making it crashy by missing something!

Really nit-picky, but I had to look 2 levels deep to see the exact details;

• we need isGwModeUnprotected to select the gateway mode for either IPv4 or IPv6
• n.config.GwModeIPv6 / n.config.GwModeIPv4 are a gwMode, which is effectively a glorified string, but we started to dig in to adding gwMode.something() bool accessors, which just compare it

Wondering if it would make sense to have a n.gatewayMode(v iptables.IPVersion) gwMode method, which would allow comparing it where we need;

if n.gateWayMode(v) == gwModeNATUnprot {
  // ...
}

or for cases where there's multiple code-paths;

switch  n.gateWayMode(v) {
case gwModeNAT:
    // ....
case gwModeNATUnprot:
    // ...
}

If we end up adding a routed-unprotected mode, this code will want to know whether the mode is nat-unprotected or routed-unprotected ... it could explicitly check for the mode being any one of the ones it's interested in - but I think collecting the logic into one place is better. Less danger of missing-a-bit when things change. But, can change it if you like?

I've unwrapped it a bit ... now there's a bridgeNetwork.gwMode() that returns a gwMode, and the caller checks unprotected() themselves.

(Similarly, could replace getNATDisabled() with gwMode(), although it'd mean acquiring the mutex an extra time to get both modes.)

Related to my earlier pondering about locking; this takes a lock here (not really important, just .. thinking out loud I guess)

But interestingly (regarding my "locking" pondering); n.registerIptCleanFunc actually mutates state of the network and does not have any synchronisation.

Right - it's a mess ... but, not this PR's mess!

ugh; I see a bunch more further up, and this was probably existing code, but we really shouldn't use err.Error() for these, and either wrap the error (if we need to be able to access the wrapped one) or just format;

or (if we want to mask the underlying error)

I guess it was a copy and paste of an existing block - I'll change it.