When creating a new container via the plugin UI (/plugins/docker/containers/add/), the Cap add dropdown does not include NET_RAW. The list currently exposes capabilities such as NET_ADMIN, CHOWN, DAC_OVERRIDE, DAC_READ_SEARCH, FOWNER, FSETID, etc., but NET_RAW is absent.
CAP_NET_RAW controls the use of RAW and PACKET sockets and the ability to bind to any address for transparent proxying. It is required by tools such as ping, tcpdump, raw-socket-based health checks, and various network-diagnostic / VPN workloads.
While NET_RAW is part of Docker's default capability set, the standard hardening pattern is:
cap_drop:
- ALL
cap_add:
- NET_RAW
Without NET_RAW exposed in the Cap add picker, this pattern cannot be expressed through the NetBox UI or API
Steps to reproduce
- Navigate to Docker → Containers → + (Add a new container).
- Open the Cap add dropdown.
- Observe that
NET_RAW is not present in the list.
When creating a new container via the plugin UI (
/plugins/docker/containers/add/), the Cap add dropdown does not includeNET_RAW. The list currently exposes capabilities such asNET_ADMIN,CHOWN,DAC_OVERRIDE,DAC_READ_SEARCH,FOWNER,FSETID, etc., butNET_RAWis absent.CAP_NET_RAWcontrols the use ofRAWandPACKETsockets and the ability to bind to any address for transparent proxying. It is required by tools such asping,tcpdump, raw-socket-based health checks, and various network-diagnostic / VPN workloads.While
NET_RAWis part of Docker's default capability set, the standard hardening pattern is:Without
NET_RAWexposed in the Cap add picker, this pattern cannot be expressed through the NetBox UI or APISteps to reproduce
NET_RAWis not present in the list.