iptables doesn't work on Intel based CentOS 7 Container.

[erict-square]

• I have tried with the latest version of Docker Desktop
• I have tried disabling enabled experimental features
• I have uploaded Diagnostics
• Diagnostics ID: n/a

Expected behavior:

Able to show iptables rules. Here's an example of a successful output on the "linux/arm64" centos:7 container

[root@3bb34def59c8 /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Actual behavior

Running the same iptables command in the "linux/amd64" centos7 container renders the following error

[root@59d75e27d3bc /]# iptables -L
iptables v1.4.21: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Information

• macOS Version: Monteray 12.3.1
• Intel chip or Apple chip: Apple Chip
• Docker Desktop Version: Docker Desktop 4.7.1 (77678)

Output of /Applications/Docker.app/Contents/MacOS/com.docker.diagnose check

Please investigate the following 1 issue:

1 : The test: is the VM networking working?
    Failed with: network checks failed: failed to ping host: exit status 1

VM seems to have a network connectivity issue. Please check your host firewall and anti-virus settings in case they are blocking the VM.

Steps to reproduce the behavior

1. docker run -it --cap-add=NET_ADMIN --platform linux/amd64 centos:7 bash
2. In the container, run yum install -y iptables
3. In the container, run iptables -L

This is reproducible.

I know that running Intel based containers on M1 is best-effort, but I'm curious to learn more about this behavior (e.g. Is iptables not supported on Intel based containers on M1?) and whether there is any solutions/workarounds.

I'm also not sure if the diagnosis output is relevant because given the same error, I can get the expected behavior on ARM based containers.

[erict-square]

1. docker run -it --cap-add=NET_ADMIN --platform linux/amd64 ubuntu:latest
2. In the container, apt-get update && apt-get install iptables
3. In the container, iptables -L, which has the following output

root@8c0642eb7f34:/# iptables -L
iptables/1.8.7 Failed to initialize nft: Protocol not supported

I have a stronger suspicion that iptables are not supported on Intel based containers on M1 given how I'm also able to reproduce this on Ubuntu.

[erict-square]

@joe0BAB @thaJeztah Apologize to tag you both, but curious if you both have thoughts on this ticket?

If iptables from an Intel based container isn't supported on Apple M1, that's fine and my team will find a workaround solution to our problem. Just looking for a confirmation!

[joe0BAB]

@erict-square thank you for raising this issue! iptables currently doesn't work under qemu emulation. We'll add this to our doc page https://docs.docker.com/desktop/mac/apple-silicon/.

[erict-square]

@joe0BAB Thanks for the confirmation! Please leave a comment here once the doc page is updated :)

[docker-robott]

Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30 days of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked