[BUG] When running in network_mode: host, container deletes DOCKER-FORWARD chains for custom bridge networks

[brodybuster]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Running the container in host network mode, causes the container to delete the DOCKER-FORWARD chains for all custom bridge networks when started or restarted. This causes all containers using a custom bridge network to lose external network connectivity.

Expected Behavior

I would not expect the container to delete these chains.

Steps To Reproduce

Using Debian Trixie as host and the following compose:

version: "3.9"
services:
webtop:
image: lscr.io/linuxserver/webtop:debian-mate
container_name: webtop
security_opt:
- seccomp:unconfined
privileged: true
environment:
- CUSTOM_PORT=5820
- CUSTOM_HTTPS_PORT=5821
- PUID=1000
- PGID=1000
- TZ=America/New_York
volumes:
- /mnt/appdata/webtop/config:/config:rw
network_mode: host
logging:
driver: json-file
options:
max-size: 5m

Output from iptables -L DOCKER-FORWARD -n -v 2>/dev/null before the container is started (host mode)

Chain DOCKER-FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-CT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-BRIDGE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-7ecd1bb205bb * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-be1546c12dc4 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 * 0.0.0.0/0 0.0.0.0/0

Output from iptables -L DOCKER-FORWARD -n -v 2>/dev/null after the container is started (host mode)

Chain DOCKER-FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-CT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-BRIDGE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 * 0.0.0.0/0 0.0.0.0/0

Output from iptables -L DOCKER-FORWARD -n -v 2>/dev/null before/after the container is started (bridge network)

Chain DOCKER-FORWARD (1 references)
pkts bytes target prot opt in out source destination
23 1380 DOCKER-CT all -- * * 0.0.0.0/0 0.0.0.0/0
23 1380 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
23 1380 DOCKER-BRIDGE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-be1546c12dc4 * 0.0.0.0/0 0.0.0.0/0
1 60 ACCEPT all -- br-7ecd1bb205bb * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-0d8464aadfca * 0.0.0.0/0 0.0.0.0/0

Environment

Debian Trixie using Docker. Webtop installed via compose

CPU architecture

x86-64

Docker creation

version: "3.9"
services:
  webtop:
    image: lscr.io/linuxserver/webtop:debian-mate
    container_name: webtop
    security_opt:
      - seccomp:unconfined
    privileged: true  
    environment:
      - CUSTOM_PORT=5820
      - CUSTOM_HTTPS_PORT=5821
      - PUID=1000
      - PGID=1000
      - TZ=America/New_York
    volumes:
      - /mnt/appdata/webtop/config:/config:rw
    network_mode: host
    logging:
      driver: json-file
      options:
        max-size: 5m

Container logs

INFO:webrtc_input:Initializing 4 persistent gamepad instances...
INFO:root:Packed js_config payload for 'Microsoft X-Box 360 pad' (js0): len=1360 bytes. Name='Microsoft X-Box 360 pad', Vendor=0x045e, Product=0x028e, Version=0x0100, Reported Buttons=11 (Array capacity: 512), Reported Axes=8 (Array capacity: 64)
INFO:selkies_gamepad:Gamepad configured. JS socket: /tmp/selkies_js0.sock, EVDEV socket: /tmp/selkies_event1000.sock. Using fixed config: Microsoft X-Box 360 pad
INFO:webrtc_input:Initialized and started persistent gamepad instance for index 0 (Name: 'Microsoft X-Box 360 pad', JS: /tmp/selkies_js0.sock, EVDEV: /tmp/selkies_event1000.sock).
INFO:root:Packed js_config payload for 'Microsoft X-Box 360 pad' (js1): len=1360 bytes. Name='Microsoft X-Box 360 pad', Vendor=0x045e, Product=0x028e, Version=0x0100, Reported Buttons=11 (Array capacity: 512), Reported Axes=8 (Array capacity: 64)
INFO:selkies_gamepad:Gamepad configured. JS socket: /tmp/selkies_js1.sock, EVDEV socket: /tmp/selkies_event1001.sock. Using fixed config: Microsoft X-Box 360 pad
INFO:webrtc_input:Initialized and started persistent gamepad instance for index 1 (Name: 'Microsoft X-Box 360 pad', JS: /tmp/selkies_js1.sock, EVDEV: /tmp/selkies_event1001.sock).
INFO:root:Packed js_config payload for 'Microsoft X-Box 360 pad' (js2): len=1360 bytes. Name='Microsoft X-Box 360 pad', Vendor=0x045e, Product=0x028e, Version=0x0100, Reported Buttons=11 (Array capacity: 512), Reported Axes=8 (Array capacity: 64)
INFO:selkies_gamepad:Gamepad configured. JS socket: /tmp/selkies_js2.sock, EVDEV socket: /tmp/selkies_event1002.sock. Using fixed config: Microsoft X-Box 360 pad
INFO:webrtc_input:Initialized and started persistent gamepad instance for index 2 (Name: 'Microsoft X-Box 360 pad', JS: /tmp/selkies_js2.sock, EVDEV: /tmp/selkies_event1002.sock).
INFO:root:Packed js_config payload for 'Microsoft X-Box 360 pad' (js3): len=1360 bytes. Name='Microsoft X-Box 360 pad', Vendor=0x045e, Product=0x028e, Version=0x0100, Reported Buttons=11 (Array capacity: 512), Reported Axes=8 (Array capacity: 64)
INFO:selkies_gamepad:Gamepad configured. JS socket: /tmp/selkies_js3.sock, EVDEV socket: /tmp/selkies_event1003.sock. Using fixed config: Microsoft X-Box 360 pad
INFO:webrtc_input:Initialized and started persistent gamepad instance for index 3 (Name: 'Microsoft X-Box 360 pad', JS: /tmp/selkies_js3.sock, EVDEV: /tmp/selkies_event1003.sock).
INFO:selkies_gamepad:Gamepad /tmp/selkies_js0.sock: Event processor started.
INFO:selkies_gamepad:JS interposer server listening on /tmp/selkies_js0.sock
INFO:selkies_gamepad:Gamepad /tmp/selkies_js1.sock: Event processor started.
INFO:selkies_gamepad:JS interposer server listening on /tmp/selkies_js1.sock
INFO:selkies_gamepad:Gamepad /tmp/selkies_js2.sock: Event processor started.
INFO:selkies_gamepad:JS interposer server listening on /tmp/selkies_js2.sock
INFO:selkies_gamepad:Gamepad /tmp/selkies_js3.sock: Event processor started.
INFO:selkies_gamepad:JS interposer server listening on /tmp/selkies_js3.sock
INFO:selkies_gamepad:EVDEV interposer server listening on /tmp/selkies_event1000.sock
INFO:selkies_gamepad:EVDEV interposer server listening on /tmp/selkies_event1001.sock
INFO:selkies_gamepad:EVDEV interposer server listening on /tmp/selkies_event1002.sock
INFO:selkies_gamepad:EVDEV interposer server listening on /tmp/selkies_event1003.sock
dbus-daemon[274]: [system] Activating service name='org.freedesktop.PolicyKit1' requested by ':1.30' (uid=1000 pid=766 comm="/usr/libexec/polkit-mate-authentication-agent-1") (using servicehelper)
dbus-daemon[274]: [system] Activated service 'org.freedesktop.PolicyKit1' failed: Failed to execute program org.freedesktop.PolicyKit1: Permission denied
dbus-daemon[274]: [system] Activating service name='org.mate.SettingsDaemon.DateTimeMechanism' requested by ':1.31' (uid=1000 pid=756 comm="/usr/libexec/mate-panel/clock-applet") (using servicehelper)
dbus-daemon[274]: [system] Activated service 'org.mate.SettingsDaemon.DateTimeMechanism' failed: Failed to execute program org.mate.SettingsDaemon.DateTimeMechanism: Permission denied
dbus-daemon[274]: [system] Activating service name='org.freedesktop.login1' requested by ':1.32' (uid=1000 pid=756 comm="/usr/libexec/mate-panel/clock-applet") (using servicehelper)
dbus-daemon[274]: [system] Activated service 'org.freedesktop.login1' failed: Failed to execute program org.freedesktop.login1: Permission denied
WARNING:data_websocket:Cannot broadcast cursor data: no clients connected or server not ready.
WARNING:data_websocket:Cannot broadcast cursor data: no clients connected or server not ready.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[thelamer]

It has a DinD layer, use the START_DOCKER option https://github.com/linuxserver/docker-baseimage-selkies/?tab=readme-ov-file#options

Also this is not really supported and I am not sure why you would want to do this.

[brodybuster]

It has a DinD layer, use the START_DOCKER option https://github.com/linuxserver/docker-baseimage-selkies/?tab=readme-ov-file#options

Also this is not really supported and I am not sure why you would want to do this.

Thank you. I realize running a privileged container using network_mode: host is generally not a good idea, but I spun this container up quickly and noticed that it brought all my other bridge networks done. Appreciate the feedback.