libnetwork icon indicating copy to clipboard operation
libnetwork copied to clipboard
verified publisher icon moby

No DOCKER-USER chain with `ip6tables: true`

Open RaphMad opened this issue 3 years ago • 12 comments

I'm using the setting ip6tables: true option with no problems so far.

The only conceptual difference I found to IPv4 is that no DOCKER-USER chain gets created, which makes it hard to insert custom ip6tables rules at a defined location.

dockerd --version: Docker version 20.10.17, build a89b842

iptables -nvL | grep DOCKER-USER
 417K  335M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain DOCKER-USER (1 references)

ip6tables -nvL | grep DOCKER-USER

Is this chain still planned / slipped through / not planned for IPv6? I could not really find any discussion about it browsing the old merged/closed tickets regarding ip6tables.

RaphMad avatar Jun 08 '22 09:06 RaphMad

This is a blocker to my system. Can someone please provide the fix in the near future? An ETA would be much appreciated.

yicding avatar Jan 24 '23 20:01 yicding

with the ip6table option, this should be added

cfouche3005 avatar Jan 25 '23 15:01 cfouche3005

at least until now (docker version 20.10.23) it is not yet implemented in the experimental ip6tables feature

GuidoDr avatar Jan 28 '23 18:01 GuidoDr

Do you know when this will be implemented?

yicding avatar Jan 28 '23 18:01 yicding

sorry I do not have further information about this topic. I had only noticed the missing DOCKER-USER rules in the ip6tables myself today and searched for it and found this thread here. Since the version mentioned above was 20.10.17 I only wanted to inform that even in the newest version 20.10.23 this DOCKER-USER is still missing in the experimental ip6tables feature.

GuidoDr avatar Jan 28 '23 18:01 GuidoDr

Is there a docker development forum where we can post questions like this one?

yicding avatar Jan 28 '23 18:01 yicding

Added with docker v23

docker version

Client: Docker Engine - Community
 Version:           23.0.0
 API version:       1.42
 Go version:        go1.19.5
 Git commit:        e92dd87
 Built:             Wed Feb  1 17:43:17 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          23.0.0
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.5
  Git commit:       d7573ab
  Built:            Wed Feb  1 17:43:17 2023
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.6.16
  GitCommit:        31aa4358a36870b21a992d3ad2bef29e1d693bec
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

iptables -S | grep DOCKER-USER

-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eth0 -j DROP
-A DOCKER-USER -j RETURN

ip6tables -S | grep DOCKER-USER

-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -j RETURN

cfouche3005 avatar Feb 02 '23 18:02 cfouche3005

Thanks a lot @cfouche3005 to confirm this!

yicding avatar Feb 02 '23 19:02 yicding

The weird thing it's not precisely said in the changelog (or I didn't find the right change on the changelog)

cfouche3005 avatar Feb 02 '23 19:02 cfouche3005

The weird thing it's not precisely said in the changelog (or I didn't find the right change on the changelog)

it is actually mentioned in the release notes:

Fix a failure to create the DOCKER-USER ip6tables chain. https://github.com/moby/moby/pull/44845

GuidoDr avatar Feb 02 '23 21:02 GuidoDr

Sorry, I am too dump and blind, thank for mentioning it.

I think this issue can be closed

cfouche3005 avatar Feb 02 '23 21:02 cfouche3005

no you're not blind. I would probably also not have seen it due to the long list of fixes, security and new features. I just searched for the DOCKER-USER in the release notes. ;-) And yes, I would also think that it can be closed now. @RaphMad

GuidoDr avatar Feb 02 '23 21:02 GuidoDr