dockerd compatibility problem with nftables

[qiuzi]

@G-M0N3Y-2503 @neheb
In the future, iptables will be replaced. Will dockerd be perfectly compatible with nftables?

[brada4]

What is the exact compatibility problem you are referring to in the title? Docker works on all major Linux distributions, all of them being NFT for few years now.

[qiuzi]

@brada4 should be transitioned to nftables use, iptables will slowly be phased out
the current startup script can remove iptables dependencies and reduce redundant components

[G-M0N3Y-2503]

Thanks for the thought-provoking question, I'm moving house ATM so I haven't had much time to look into this.
I did find moby/moby#26824 that I am yet to read, but, it might provide some guidance on this question in the interim.

[brada4]

Docker supports iptables command line only. Enough is emulated via NFT iptables wrappers on any (?other?) system out there.
Thats is a question to Docker Inc. to support some novelty environment.

[G-M0N3Y-2503]

It seems that docker still depends on iptables until something like moby/moby#26824 is done.
With the advent of #16818, I'm working on having docker use iptables-nft.

It does sound like a possible feature to remove any iptables dependencies and disable iptables in the docker config for a custom build, but that sounds like a separate issue to this one.

So from my perspective, this issue is a duplicate of #16818

[brada4]

@brada4 should be transitioned to nftables use, iptables will slowly be phased out the current startup script can remove iptables dependencies and reduce redundant components

In the official post iptables-nft is recommended as a compatibility option, on par with what official docker package repos do. (podman too, before you ask)

[qiuzi]

iptables-nft is not the best solution, nft has other new features

[G-M0N3Y-2503]

In the official post iptables-nft is recommended as a compatibility option, on par with what official docker package repos do. (podman too, before you ask)

I'm not sure to what you are referring to, if you have links I'd appreciate them.
Because from what I can tell using iptables-nft is how current official packages are supporting netfilter.
see https://github.com/docker/docker-ce-packaging/blob/master/deb/common/control#L32

[acooler15]

My Docker container has access to the local network but not the internet when use iptables-nft😢

[brada4]

There should be forward rule for each exposed port and one for all masquerade rule involving docker's internal bridge (in iptables-save)
Which way it does not work?

[champtar]

With nftables you now have multiple tables, if a rule in fw4 table drop a packet,
the fact that it was accepted in the filter table (configured by iptables-nft) doesn't matter.
So you might need to add some allow rules in fw4 for docker to work.
can someone show the output of iptables-nft-save and nft list ruleset when running docker ?

[brada4]

centos8-tables.txt
centos8-nft.txt
"how it should look"

Yes, I flushed tables before restarting docker so that it shows only docker additions.

[champtar]

@brada4 you just don't have any firewall configured on your CentOS8 box

[koolkhel]

It's an issue for me as well. For docker-compose it's avoidable by manually creating bridges (in my example it's br-transmission) and doing

/usr/sbin/nft insert rule inet fw4 forward iifname "br-transmission" accept
/usr/sbin/nft insert rule inet fw4 forward iifname "br-lan" oifname "br-transmission" accept

After these two commands the containers have normal connectivity.

For docker build I'm using docker build --network=host and it works.

Yes, I'm using iptables-nft.