No DOCKER-USER chain with `ip6tables: true`
RaphMad opened this issue · comments
I'm using the setting ip6tables: true
option with no problems so far.
The only conceptual difference I found to IPv4 is that no DOCKER-USER
chain gets created, which makes it hard to insert custom ip6tables rules at a defined location.
dockerd --version
: Docker version 20.10.17, build a89b842
iptables -nvL | grep DOCKER-USER
417K 335M DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
ip6tables -nvL | grep DOCKER-USER
Is this chain still planned / slipped through / not planned for IPv6? I could not really find any discussion about it browsing the old merged/closed tickets regarding ip6tables.
This is a blocker to my system. Can someone please provide the fix in the near future? An ETA would be much appreciated.
with the ip6table option, this should be added
at least until now (docker version 20.10.23) it is not yet implemented in the experimental ip6tables feature
Do you know when this will be implemented?
sorry I do not have further information about this topic.
I had only noticed the missing DOCKER-USER rules in the ip6tables myself today and searched for it and found this thread here. Since the version mentioned above was 20.10.17 I only wanted to inform that even in the newest version 20.10.23 this DOCKER-USER is still missing in the experimental ip6tables feature.
Is there a docker development forum where we can post questions like this one?
Added with docker v23
docker version
Client: Docker Engine - Community
Version: 23.0.0
API version: 1.42
Go version: go1.19.5
Git commit: e92dd87
Built: Wed Feb 1 17:43:17 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 23.0.0
API version: 1.42 (minimum version 1.12)
Go version: go1.19.5
Git commit: d7573ab
Built: Wed Feb 1 17:43:17 2023
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: 1.6.16
GitCommit: 31aa4358a36870b21a992d3ad2bef29e1d693bec
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0
iptables -S | grep DOCKER-USER
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eth0 -j DROP
-A DOCKER-USER -j RETURN
ip6tables -S | grep DOCKER-USER
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -j RETURN
Thanks a lot @cfouche3005 to confirm this!
The weird thing it's not precisely said in the changelog (or I didn't find the right change on the changelog)
The weird thing it's not precisely said in the changelog (or I didn't find the right change on the changelog)
it is actually mentioned in the release notes:
Fix a failure to create the DOCKER-USER ip6tables chain. moby/moby#44845
Sorry, I am too dump and blind, thank for mentioning it.
I think this issue can be closed
no you're not blind. I would probably also not have seen it due to the long list of fixes, security and new features.
I just searched for the DOCKER-USER in the release notes. ;-)
And yes, I would also think that it can be closed now. @RaphMad