Docker Community Forums

Share and learn in the Docker community.

Bug or feature? Setting "bridge": "none" makes target DOCKER-USER disappear in DOCKER iptables chain

Hi,

setting "bridge": "none" in daemon.json makes the target DOCKER-USER disappear in DOCKER iptables chain.

In a default installation (w/o the "bridge": "none" setting) iptables looks like this:

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0
2    DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4    DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
(...)

Custom rules will be attended to (due to rule number 1).

Setting "bridge": "none" in daemon.json (and restarting docker or rebooting the host) leads to:

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
3    DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
(...)

So, DOCKER-USER target is missing.

Using the documented way in iptables with docker won’t work any longer. Manually issuing -I FORWARD 1 -j DOCKER-USER heals this.

Is that a bug or a feature?

Best regards