Any work being done to better support large port ranges

tekniken · October 2, 2025, 1:27pm

Hello, there has been a few posts about this throughout the years but little positive feedback whether or not it is considered as a usable addition.

We’ve run Asterisk (a PBX system) containerised with Docker on Ubuntu 22.04 for quite some time. I got around to updating the engine a few days ago and suddenly our SIP calls ended up with no audio. SIP needs to have large port ranges available, 10000-32767 and 62000-62513. Any attempt at activating these natively within Docker failed when we set everything up originally, but luckily the solution then was rather simple. We could add the required NAT entries to nftables.conf like so:

chain dstnat {
                type nat hook prerouting priority dstnat - 10; policy accept;
                iifname != "asterisk" ip daddr 192.168.3.1 udp dport { 5088, 10000-32767, 62000-62513 } counter packets 0 bytes 0 dnat to 172.20.0.2
                iifname != "asterisk" ip daddr 10.9.0.50 udp dport { 10000-32767, 62000-62513 } counter packets 0 bytes 0 dnat to 172.20.0.2
        }
chain srcnat {
                type nat hook postrouting priority srcnat - 10; policy accept;
                ip saddr 172.20.0.2 ip daddr 172.20.0.2 udp dport { 10000-32767, 62000-62513 } counter packets 0 bytes 0 masquerade
        }

This worked beautifully. After the recent update however, I think that this entry in ip filter → chain DOCKER put an end to the elegance:

iifname != "asterisk" oifname "asterisk" counter packets 0 bytes 0 drop

With this change Docker now removed the last easy way to co-exist with nftables, and we’ll have to resort to setting our own accept rule in DOCKER-USER with a custom service after startup. It would in my opinion save a great deal of headache if proper support for port ranges could be considered: A docker-proxy that could handle a range of ports and nftables/iptables rules with range entries rather than singles.

A perhaps easier to implement workaround would be to let Docker merge its DOCKER-USER chain with pre-existing entries on start, so that these could be set in nftables.conf. Behavior now is that Docker completely disregards that chain if it exists, and does not create the counter packets 0 bytes 0 jump DOCKER-USER-rule in the FORWARD chain. This would at least avoid the extra clutter and invisibility with additional scripts/services.

Best regards
Alexander

meyay · October 2, 2025, 6:59pm

Thank you for sharing your insights with the community.

I assume you want your post to be read by the developers as well, as such I would suggest to reach out to them by raising an issue in docker’s upstream project moby:

system · November 1, 2025, 6:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Exposing large range of ports is not viable General	4	4113	February 16, 2018
Docker SNAT iptables and ipv4.ip_local_port_range General	2	74	December 4, 2025
I have a docker container that needs to expose 10,000 ports General	11	10917	July 3, 2020
Really slow container startup with long port ranges General docker	3	3364	November 17, 2017
How to configure docker to limit the range of ports for spinning up containers Docker Hub ci_cd	3	8636	March 21, 2019

Any work being done to better support large port ranges

Related topics