aws · mye956 · May 1, 2025 · May 23, 2025 · May 28, 2025
@@ -247,7 +247,6 @@ additional details on each available environment variable.
 | `ECS_WARM_POOLS_CHECK` | `true` | Whether to ensure instances going into an [EC2 Auto Scaling group warm pool](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-warm-pools.html) are prevented from being registered with the cluster. Set to true only if using EC2 Autoscaling | `false` | `false` |
 | `ECS_SKIP_LOCALHOST_TRAFFIC_FILTER` | `false` | By default, the ecs-init service adds an iptable rule to drop non-local packets to localhost if they're not part of an existing forwarded connection or DNAT, and removes the rule upon stop. If this is set to true, the rule will not be added or removed. | `false` | `false` |
 | `ECS_ALLOW_OFFHOST_INTROSPECTION_ACCESS` | `true` | By default, the ecs-init service adds an iptable rule to block access to the agent introspection port from off-host (or containers in awsvpc network mode), and removes the rule upon stop. If this is set to true, the rule will not be added or removed | `false` | `false` |
-| `ECS_OFFHOST_INTROSPECTION_INTERFACE_NAME` | `eth0` | The primary network interface name to be used for blocking offhost agent introspection port access | `eth0` | `eth0` |
 | `ECS_ENABLE_GPU_SUPPORT` | `true` | Whether you use container instances with GPU support. This parameter is specified for the agent. You must also configure your task definitions for GPU. For more information, see [working with Amazon ECS task definitions for GPU workloads](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-gpu.html). | `false` | `Not applicable` |
 | `HTTP_PROXY` | `10.0.0.131:3128` | The hostname (or IP address) and port number of an HTTP proxy to use for the Amazon ECS agent to connect to the internet. For example, this proxy will be used if your container instances do not have external network access through an Amazon VPC internet gateway or NAT gateway or instance. If this variable is set, you must also set the NO_PROXY variable to filter Amazon EC2 instance metadata and Docker daemon traffic from the proxy. | `null` | `null` |
 | `NO_PROXY` | <For Linux: 169.254.169.254,169.254.170.2,/var/run/docker.sock &#124; For Windows: 169.254.169.254,169.254.170.2,\\.\pipe\docker_engine> | The HTTP traffic that should not be forwarded to the specified HTTP_PROXY. You must specify 169.254.169.254,/var/run/docker.sock to filter Amazon EC2 instance metadata and Docker daemon traffic from the proxy. | `null` | `null` |

@@ -48,6 +48,7 @@ type dockerclient interface {
 	WaitContainer(id string) (int, error)
 	StopContainer(id string, timeout uint) error
 	Ping() error
+	FilteredListNetworks(opts godocker.NetworkFilterOpts) ([]godocker.Network, error)
 }
 
 type _dockerclient struct {
@@ -248,3 +249,7 @@ func isRetryablePingError(err error) bool {
 	}
 	return false
 }
+
+func (d *_dockerclient) FilteredListNetworks(opts godocker.NetworkFilterOpts) ([]godocker.Network, error) {
+	return d.docker.FilteredListNetworks(opts)
+}
@@ -16,6 +16,7 @@ package docker
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"io"
 	"os"
 	"os/exec"
@@ -130,6 +131,10 @@ const (
 	// fault inject functionality. Ref: https://man7.org/linux/man-pages/man8/modinfo.8.html
 	modInfoSbinDir    = "/sbin/modinfo"
 	modInfoUsrSbinDir = "/usr/sbin/modinfo"
+
+	// Docker Network options to filter for the default bridge network interface of docker
+	dockerDefaultBridgeInterfaceOption = "com.docker.network.bridge.default_bridge"
+	dockerInterfaceNameOption          = "com.docker.network.bridge.name"
 )
 
 // Do NOT include "CAP_" in capability string
@@ -667,3 +672,26 @@ func isDomainJoined() bool {
 
 	return true
 }
+
+// FindDefaultBridgeNetworkInterfaceName is used to find the name of the default network interface
+// for docker bridge network mode.
+func (c *client) FindDefaultBridgeNetworkInterfaceName() (string, error) {
+	networks, err := c.docker.FilteredListNetworks(godocker.NetworkFilterOpts{
+		"driver": map[string]bool{"bridge": true},
+	})
+	if err != nil {
+		return "", err
+	}
+	for _, network := range networks {
+		val, ok := network.Options[dockerDefaultBridgeInterfaceOption]
+		if ok {
+			if val == "true" {
+				interfaceName, ok := network.Options[dockerInterfaceNameOption]
+				if ok {
+					return interfaceName, nil
+				}
+			}
+		}
+	}
+	return "", fmt.Errorf("unable to find any virtual docker bridge network interfaces on the host")
+}
@@ -28,6 +28,10 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+const (
+	testDockerBridgeInterfaceName = "docker0"
+)
+
 func TestIsAgentImageLoadedListFailure(t *testing.T) {
 	mockCtrl := gomock.NewController(t)
 	defer mockCtrl.Finish()
@@ -1098,3 +1102,54 @@ func fakeExecCommand(command string, args ...string) *exec.Cmd {
 	cmd.Env = []string{"GO_WANT_HELPER_PROCESS=1"}
 	return cmd
 }
+
+func TestFindDefaultBridgeNetworkInterfaceName(t *testing.T) {
+
+	testCases := []struct {
+		name                              string
+		expectedError                     error
+		expectedDockerBridgeInterfaceName string
+		mockExpectations                  func(mockDocker *Mockdockerclient)
+	}{
+		{
+			name:                              "success",
+			expectedError:                     nil,
+			expectedDockerBridgeInterfaceName: testDockerBridgeInterfaceName,
+			mockExpectations: func(mockDocker *Mockdockerclient) {
+				mockDocker.EXPECT().FilteredListNetworks(gomock.Any()).Return(append(make([]godocker.Network, 0), godocker.Network{
+					Options: map[string]string{
+						dockerDefaultBridgeInterfaceOption: "true",
+						dockerInterfaceNameOption:          testDockerBridgeInterfaceName,
+					},
+				}), nil)
+			},
+		},
+		{
+			name:                              "error",
+			expectedError:                     fmt.Errorf("error unable to find docker bridge interface"),
+			expectedDockerBridgeInterfaceName: "",
+			mockExpectations: func(mockDocker *Mockdockerclient) {
+				mockDocker.EXPECT().FilteredListNetworks(gomock.Any()).Return(nil, fmt.Errorf("error unable to find docker bridge interface"))
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			mockCtrl := gomock.NewController(t)
+			defer mockCtrl.Finish()
+
+			mockDocker := NewMockdockerclient(mockCtrl)
+
+			tc.mockExpectations(mockDocker)
+
+			client := &client{
+				docker: mockDocker,
+			}
+			dockerBridgeInterfaceName, err := client.FindDefaultBridgeNetworkInterfaceName()
+
+			assert.Equal(t, tc.expectedError, err)
+			assert.Equal(t, tc.expectedDockerBridgeInterfaceName, dockerBridgeInterfaceName)
+		})
+	}
+
+}
@@ -38,6 +38,7 @@ type dockerClient interface {
 	StartAgent() (int, error)
 	StopAgent() error
 	LoadEnvVars() map[string]string
+	FindDefaultBridgeNetworkInterfaceName() (string, error)
 }
 
 type loopbackRouting interface {

@@ -21,6 +21,7 @@ import (
 	"os"
 	"time"
 
+	"github.com/aws/amazon-ecs-agent/ecs-agent/utils/netlinkwrapper"
 	"github.com/aws/amazon-ecs-agent/ecs-init/apparmor"
 	"github.com/aws/amazon-ecs-agent/ecs-init/backoff"
 	"github.com/aws/amazon-ecs-agent/ecs-init/cache"
@@ -99,7 +100,15 @@ func New() (*Engine, error) {
 	if err != nil {
 		return nil, err
 	}
-	credentialsProxyRoute, err := iptables.NewNetfilterRoute(cmdExec)
+	docker, err := getDockerClient()
+	if err != nil {
+		return nil, err
+	}
+	dockerBridgeNetworkName, err := docker.FindDefaultBridgeNetworkInterfaceName()
+	if err != nil {
+		return nil, err
+	}
+	credentialsProxyRoute, err := iptables.NewNetfilterRoute(cmdExec, netlinkwrapper.New(), dockerBridgeNetworkName)
 	if err != nil {
 		return nil, err
 	}

@@ -1,5 +1,5 @@
-//go:build test
-// +build test
+//go:build unit
+// +build unit
 
 // Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //