aws
DOCKER-USER iptables chain doesn't work (WARNING: bridge-nf-call-iptables is disabled)
Describe the bug
I was trying to insert in some custom iptables rules into the DOCKER-USER iptables chain and noticed that anything I added was ignored and never applied. Also after building a docker image that generates lots of network traffic (e.g. both downloading and uploading packages), I printed out all of the iptables chains using iptables -nvL and the docker user chain shows 0 packets and 0 bytes as having traversed through the chain. In fact the only chains that show activity are OUTPUT and INPUT.
I also notice when I run docker info the following appears (which I'm guessing is probably the reason why the rules are ignored):
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Does anyone know how to get this to work on codebuild? Is this some limitation on the underlying host preventing this from working?
To Reproduce Steps to reproduce the behavior:
- run
docker infoand these are displayed:
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Expected behavior Warnings should not appear
Logs If applicable, add log output to help explain your problem.
Platform (please complete the following information):
- OS: Linux ARM
Additional context
If I google WARNING: bridge-nf-call-iptables is disabled results seem to suggest running sudo modprobe br_netfilter and sysctl -w net.bridge.bridge-nf-call-iptables=1, but both commands generate an error for me.
I also tried the x86 image as well both Amazon Linux and Ubuntu and ran into the same error.
Also, I'll point out that these warnings do not appear on github hosted runners (ubuntu-latest) and I'm able to place iptables rules properly on those. It only appears on my codebuild runners.
