nerdctl icon indicating copy to clipboard operation
nerdctl copied to clipboard

Published 20 hours ago verified publisher icon containerd

support nftables

Open cling8807 opened this issue 7 months ago • 7 comments

What is the problem you're trying to solve

support nftables

Describe the solution you'd like

support nftables

Additional context

No response

cling8807 avatar Apr 17 '25 04:04 cling8807

Hi @cling8807

Modern iptables does use nf_tables kernel infrastructure, right?

So, what would be the upside in supporting nft instead of iptables?

$ iptables --version
iptables v1.8.9 (nf_tables)

Thanks.

apostasie avatar Apr 21 '25 06:04 apostasie

@AkihiroSuda not sure what there is to do here. Closing?

@cling8807 let us know if there is something specific here to be done that serves a specific use case.

apostasie avatar Apr 26 '25 05:04 apostasie 

# nerdctl run --rm -it alpine
FATA[0001] failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: time="2025-05-23T07:50:27Z" level=fatal msg="failed to call cni.Setup: plugin type=\"bridge\" failed (add): failed to list chains: running [/usr/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.9 (nf_tables): table `nat' is incompatible, use 'nft' tool.\n": unknown

The nftables table nat was created and maintained by tailscale (TS_DEBUG_FIREWALL_MODE=nftables), so iptables cannot create another table under the same name.

zhangyoufu avatar May 23 '25 07:05 zhangyoufu

Basically this issue should be discussed in https://github.com/containernetworking/plugins/issues

AkihiroSuda avatar May 23 '25 08:05 AkihiroSuda

Basically this issue should be discussed in https://github.com/containernetworking/plugins/issues

Add "ipMasqBackend": "nftables", to /etc/cni/net.d/nerdctl-bridge.conflist along is not enough.

The CNI plugin packaged by Debian/Armbian is just too old.

containernetworking-plugins        1.1.1+ds1-3+b5

After upgrade CNI plugins to 1.7.1. I get a mixture of nftables and iptables. The iptables part is still not compatible with tailscale (TS_DEBUG_FIREWALL_MODE=nftables).

# nft list ruleset
table inet cni_plugins_masquerade {
	comment "Masquerading for plugins from github.com/containernetworking/plugins"
	chain masq_checks {
		comment "Masquerade traffic from certain IPs to any (non-multicast) IP outside their subnet"
		ip saddr 172.17.0.7 ip daddr != 172.17.0.0/24 masquerade comment "7d24d33e39064c8a-8563544ae433207b, net: bridge, if: eth0, id: default-58d4df014664f446ad8c3612d93a4ee346b922ade16ffe86ffdaffaac9"
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip daddr 224.0.0.0/4 return
		ip6 daddr ff00::/8 return
		goto masq_checks
	}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
	chain CNI-FORWARD {
		 counter packets 247 bytes 15422 jump CNI-ADMIN
	}

	chain CNI-ADMIN {
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		 counter packets 246 bytes 15362 jump CNI-ISOLATION-STAGE-1
		 counter packets 247 bytes 15422 jump CNI-FORWARD
	}

	chain CNI-ISOLATION-STAGE-1 {
		iifname "nerdctl0" oifname != "nerdctl0"  counter packets 0 bytes 0 jump CNI-ISOLATION-STAGE-2
		 counter packets 245 bytes 15295 return
	}

	chain CNI-ISOLATION-STAGE-2 {
		oifname "nerdctl0"  counter packets 0 bytes 0 drop
		 counter packets 0 bytes 0 return
	}
}

I hope I could have something like /etc/docker/daemon.json "iptables": false in nerdctl.

Found it, just remove firewall & portmap plugin from /etc/cni/net.d/nerdctl-bridge.conflist

zhangyoufu avatar May 23 '25 08:05 zhangyoufu

@apostasie

nftable is the successor of iptable and there is a lot of problem related to the iptable_nft for example https://stackoverflow.com/questions/57710177/tproxy-compatibility-with-docker

also if you deploy nerdctl on routers like openwrt that uses nftable by default, and using "ip6tables":true in daemon.json, ipv6 forward will stop working on the LAN network, even after stop nerdctl and run ip6tables -F.

the router has to be rebooted without nerdctl enabled to make ipv6 of LAN work again

ghost avatar May 29 '25 13:05 ghost

@apostasie

nftable is the successor of iptable and there is a lot of problem related to the iptable_nft for example https://stackoverflow.com/questions/57710177/tproxy-compatibility-with-docker

also if you deploy nerdctl on routers like openwrt that uses nftable by default, and using "ip6tables":true in daemon.json, ipv6 forward will stop working on the LAN network, even after stop nerdctl and run ip6tables -F.

the router has to be rebooted without nerdctl enabled to make ipv6 of LAN work again

Thanks for clarifying. As Akihiro stated above though, this likely needs to happen in cni plugins.

apostasie avatar Jun 06 '25 19:06 apostasie