Skip to content

Restrict netfilter container to required capabilities instead of running as privileged container#7048

Open
mstilkerich wants to merge 1 commit intomailcow:stagingfrom
mstilkerich:netfilter-non-privileged
Open

Restrict netfilter container to required capabilities instead of running as privileged container#7048
mstilkerich wants to merge 1 commit intomailcow:stagingfrom
mstilkerich:netfilter-non-privileged

Conversation

@mstilkerich
Copy link
Contributor

@mstilkerich mstilkerich commented Feb 4, 2026
edited
Loading

Contribution Guidelines

What does this PR include?

Short Description

This PR changes the configuration of the netfilter container to only run with the NET_ADMIN capability instead of a privileged container (all capabilities). The only privileged operation performed by the container is manipulation of the iptables/nftables rulesets, which is possible having the NET_ADMIN capability (and using the host network stack, which is already the case).

Affected Containers

  • netfilter-mailcow

Did you run tests?

What did you test?

I ran the container and manually created and removed a ban by adding an IP address in the admin interface and later removing it again. After adding / removing I checked in the container logs until the change arrived at the container, then checked that the nftables ruleset was updated accordingly (rule was added/removed).

What were the final results? (Awaited, got)

The rule was added and later removed as expected. No error show in the netfilter logs.

netfilter-mailcow-1  | 2026-02-04 17:06:31 INFO: Using NFTables backend
netfilter-mailcow-1  | 2026-02-04 17:06:31 INFO: Clearing all bans
netfilter-mailcow-1  | 2026-02-04 17:06:31 INFO: Initializing mailcow netfilter chain
netfilter-mailcow-1  | 2026-02-04 17:06:31 INFO: MAILCOW ip chain created successfully.
netfilter-mailcow-1  | 2026-02-04 17:06:31 INFO: MAILCOW ip6 chain created successfully.
netfilter-mailcow-1  | 2026-02-04 17:06:31 INFO: Setting MAILCOW isolation
netfilter-mailcow-1  | 2026-02-04 17:06:31 INFO: Watching Redis channel F2B_CHANNEL
netfilter-mailcow-1  | 2026-02-04 17:06:31 INFO: Allowlist was changed, it has 681 entries
netfilter-mailcow-1  | 2026-02-04 17:10:31 INFO: Denylist was changed, it has 1 entries
netfilter-mailcow-1  | 2026-02-04 17:10:31 CRIT: Added host/network 1.2.3.4 to denylist
netfilter-mailcow-1  | 2026-02-04 17:11:31 INFO: Denylist was changed, it has 0 entries
netfilter-mailcow-1  | 2026-02-04 17:11:31 CRIT: Removed host/network 1.2.3.4 from denylist

@mstilkerich
Don't run the netfilter container as privileged container
6e522f3 
It only required NET_ADMIN capability in order to manipulate the
iptables/nftables rules.
@roelofz
Copy link

roelofz commented Feb 28, 2026

Great to address this issue, I also stumbled against it...
Hope it gets fixed soon!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mstilkerich @roelofz