xtables contention detected while running [...]: Waited for X.XX seconds and received ""

[Majroch]

Description

Hi, I have a general problem with docker, since 2 or so days ago.

When I restart a docker on my server (or a whole server) and all containers are trying to start, I get massive amount of logs, like:

Jun 13 18:13:32 XXX dockerd[2717]: time="2025-06-13T18:13:32.841742059+02:00" level=warning msg="xtables contention detected while running [--wait -t raw -C PREROUTING -d ::ffff:172.18.0.39 ! -i br-b32b957703c8 -j DROP]: Waited for 3.07 seconds and received \"\""
Jun 13 18:13:35 XXX dockerd[2717]: time="2025-06-13T18:13:35.910411977+02:00" level=warning msg="xtables contention detected while running [--wait -t raw -C PREROUTING -d ::ffff:172.22.0.14 ! -i br-4e72007a29d7 -j DROP]: Waited for 3.07 seconds and received \"\""

Because of that, my server is currently down, and I am trying to find a cause of those errors.

I have 60~70 containers set up on my server, and every one is set to start automatically on start up (restart: unless-stopped policy). Additionaly, I have changed my configuration files, to add additional network subnets available.

On the other note, I have a regular update cycle, where my server updates itself into a new btrfs snapshot every night, and after that does a full reboot.

My current configuration file:

/etc/docker/daemon.json

{
    "log-driver": "json-file",
    "log-level": "warn",
    "log-opts": {
        "max-file": "5",
        "max-size": "10m"
    },
    "runtimes": {
        "nvidia": {
            "args": [],
            "path": "nvidia-container-runtime"
        }
    },
    "metrics-addr": "0.0.0.0:9323",
    "default-address-pools": [
        {
            "base":"172.17.0.0/12",
            "size":16
        },
        {
            "base":"10.99.0.0/16",
            "size":24
        }
    ]
}

What can I try, to check, what's wrong here?

Reproduce

N/A. It happened over a night, after an update of my system. Only thing I saw in logs, is that i had an update from: docker-28.2.2_ce-17.1.x86_64.rpm to docker-28.2.2_ce-18.1.x86_64.rpm on OpenSUSE MicroOS

Expected behavior

No xtables / iptables problems

docker version

Client:
 Version:           28.2.2-ce
 API version:       1.50
 Go version:        go1.23.10
 Git commit:        45873be4a
 Built:             Thu Jun  5 16:12:14 2025
 OS/Arch:           linux/amd64
 Context:           default

docker info

Client:
 Version:    28.2.2-ce
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  0.24.0
    Path:     /usr/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  2.37.0
    Path:     /usr/lib/docker/cli-plugins/docker-compose

Additional Info

No rollback, nor reinstall helped in this case. I couldn't find any helpful info on the internet on this topic, in regard to firewall, docker, or iptables directly.

[thaJeztah]

This looks to be an issues on the daemon side, not the docker CLI (which is only a client connecting to the daemon).

Could you open this in https://github.com/moby/moby/issues instead? That's where the daemon code is maintained.

That said; it looks like you're running a distro-packaged version of docker; sometimes distro packagers apply patches on top of the upstream code base, or different build dependencies, which may be relevant.

[thaJeztah]

Let me close the ticket here because of the above, but feel free to continue the conversation

[Majroch]

Thank you for help. I didn't knew that moby/moby repository was a docker server part.

I've created my ticket there, as you've suggested.

As for distro package, I will try to see, how it's done on the OpenSUSE side of things, and maybe check out any additional patches that they're applying.