Skip to content

Fix nftables comment quoting and add cgroup isolation toggle#65

Closed
sunkadshreyas wants to merge 1 commit into
strongdm:mainfrom
sunkadshreyas:fix/docker-desktop-nftables-cgroup
Closed

Fix nftables comment quoting and add cgroup isolation toggle#65
sunkadshreyas wants to merge 1 commit into
strongdm:mainfrom
sunkadshreyas:fix/docker-desktop-nftables-cgroup

Conversation

@sunkadshreyas
Copy link
Copy Markdown

@sunkadshreyas sunkadshreyas commented Feb 26, 2026

Summary

  • Fix nftables ensure_rule() comment quoting — colon in comment strings (e.g., leash:return-mitm) caused nft parser syntax errors, breaking all nftables rules
  • Fix nftables cgroup path quoting — unquoted / in socket cgroupv2 level 1 path caused nft parser error
  • Add LEASH_CGROUP_ISOLATION env var (default required, set optional for Docker Desktop) so leash can start without cgroup-based control plane isolation on kernels that lack xt_cgroup/nft socket cgroupv2 support
  • Add nftables package to Dockerfile.leash runtime-base so the preferred nftables code path is available

Test plan

  • Verified nftables rules apply successfully in a privileged Docker Desktop container with the comment quoting fix
  • Confirmed LEASH_CGROUP_ISOLATION=optional allows leash to start on Docker Desktop (LinuxKit kernel 6.10.14)
  • End-to-end test: quest pod with both coder and leash containers running, BPF LSM loaded, MITM proxy active, Cedar policy enforced

Fixes #64

🤖 Generated with Claude Code

@sunkadshreyas @claude
Fix nftables comment quoting and add cgroup isolation toggle
11e5d04 
Three bugs prevented leash from starting on Docker Desktop Kubernetes:

1. nftables comment quoting: Comments like "leash:return-mitm" weren't
   wrapped in nft-level quotes, causing all nftables rules to fail
   because ':' is a special token in nft's parser.

2. nftables cgroup path quoting: The cgroup hierarchy path passed to
   "socket cgroupv2 level 1" wasn't quoted, causing '/' to be parsed
   as a division operator.

3. Docker Desktop's LinuxKit kernel lacks xt_cgroup (iptables) and
   nft socket cgroupv2 support, making cgroup-based control plane
   isolation impossible on that platform.

Changes:
- Fix ensure_rule() comment quoting in apply-nftables.sh
- Fix cgroup path quoting in apply-nftables.sh
- Add LEASH_CGROUP_ISOLATION env var (default: "required") to all
  three scripts so callers can set "optional" for environments where
  the kernel lacks cgroup matching support
- Add nftables package to Dockerfile.leash runtime-base so the
  preferred nftables code path is available

Fixes strongdm#64

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@navanchauhan
Copy link
Copy Markdown
Collaborator

navanchauhan commented Mar 4, 2026

Different solution merged in #66

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Leash fails on Docker Desktop Kubernetes: cgroup-based iptables isolation not supported

2 participants

@sunkadshreyas @navanchauhan