Docker 29 breaks policy routing

kevnetit · November 14, 2025, 9:22am

Hi!

After updating to Docker 29 my policy routing between my containers break.

I’ve two containers:

Container “A” in subnet: 10.250.250.0/30
Container “B” in subnet: 10.250.200.8/29

Every docker network is a user-defined bridge.

I’ve the following ip rule settings:

110:    from 10.250.250.0/24 to 172.25.55.0/24 lookup main proto static
111:    from 10.250.250.0/24 to 10.250.250.0/24 lookup main proto static
150:    from 10.250.250.0/24 lookup 11 proto static

In the table 11 i’ve only one default route:

$ ip r show table 11
default dev wg1 scope link

Every traffic from B goes through this interface. Except when I’d like to manage it from 172.25.55.0/24 and if an other container (like A) wants to reach it.
All traffic arriving from other containers appears in container A as if it were arriving from its own default gateway. This is why the ip rule 111 points to itself.

If I downgrade back to Docker 28 everything works fine!
Does anyone know of any changes that could have caused this?

rimelek · November 15, 2025, 11:50pm

There are a couple of networking related change in v29

https://docs.docker.com/engine/release-notes/29/#networking

but not sure which one is related to your issue

kevnetit · November 16, 2025, 7:35am

I read the changelog and none of those changes should have changed this. So I think this is a bug / error and not a correct new feature.

meyay · November 16, 2025, 10:41am

Please share the output of docker info, so we can see what docker distribution you are using. Not every docker installation uses vanilla Docker (as in docker-ce) oder Docker Desktop.

kevnetit · November 16, 2025, 10:49am

I installed it based on the official docker description, not from the Fedora repository.

$ docker info
Client: Docker Engine - Community
 Version:    29.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.29.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.40.3
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 9
  Running: 9
  Paused: 0
  Stopped: 0
 Images: 8
 Server Version: 29.0.0
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: fcd43222d6b07379a4be9786bda52438f0dd16a1
 runc version: v1.3.3-0-gd842d771
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.17.7-300.fc43.x86_64
 Operating System: Fedora Linux 43 (Server Edition)
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 62.48GiB
 Name: p.kinit.hu
 ID: 1e8e810e-ad91-4f89-8084-5e07fe058be9
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false
 Firewall Backend: iptables+firewalld
  ReloadedAt: 2025-11-13T17:43:17+01:00

meyay · November 16, 2025, 11:05am

Your best bet is to raise an issue in the Moby repository:

Moby is the upstream project, vanilla Docker is build based on it.

rimelek · November 16, 2025, 11:29am

Before reporting the issue, I recommend upgrading to 29.0.1

kevnetit · November 16, 2025, 1:00pm

It’s not working even with the latest version, so i opened the issue:

github.com/moby/moby

Docker 29 breaks policy routing

opened 12:58PM - 16 Nov 25 UTC

molnarkevin560

status/0-triage kind/bug

### Description After updating to Docker 29 my policy routing between my contai…ners break. Containers do not reach each other. I’ve two containers: Container `A` in subnet: `10.250.250.0/30` Container `B` in subnet: `10.250.200.8/29` Every docker network is a user-defined bridge. I’ve the following ip rule settings: ``` $ ip ru s 110: from 10.250.250.0/24 to 172.25.55.0/24 lookup main proto static 111: from 10.250.250.0/24 to 10.250.250.0/24 lookup main proto static 150: from 10.250.250.0/24 lookup 11 proto static ``` In the table 11 i’ve only one default route: ``` $ ip r show table 11 default dev wg1 scope link ``` Every traffic from `B` goes through this interface. Except when I’d like to manage it from `172.25.55.0/24` and if an other container (like `A`) wants to reach it. All traffic arriving from other containers appears in container `A` as if it were arriving from its own default gateway. This is why the `ip rule 111` points to itself. If I downgrade back to Docker 28 everything works fine! ### Reproduce My production system runs on Fedora 43, but the issue can be reproduced on Debian as well: 1. Set up Docker's `apt` repository based on the [official description](https://docs.docker.com/engine/install/debian/#install-using-the-repository) 2. Install the latest version of Docker ``` sudo apt update && \ sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin ``` 3. Create `docker-compose.yaml` ``` cat << EOF > docker-compose.yaml --- services: containerA: image: nginx container_name: containerA ports: - "80:80/tcp" networks: - a-net containerB: image: nginx container_name: containerB ports: - "81:80/tcp" networks: - b-net networks: a-net: driver: bridge ipam: driver: default config: - subnet: "10.250.250.0/30" gateway: "10.250.250.1" b-net: driver: bridge ipam: driver: default config: - subnet: "10.250.200.8/29" gateway: "10.250.200.9" EOF ``` 4. Create routing entries (change `172.25.55.0/24` to your host network or skip that line, because that's not necessary for reproduction) ``` sudo ip route add default via 127.0.0.1 dev lo table 11 && \ sudo ip rule add from 10.250.250.0/24 to 172.25.55.0/24 lookup 254 priority 110 && \ sudo ip rule add from 10.250.250.0/24 to 10.250.250.0/24 lookup 254 priority 111 && \ sudo ip rule add from 10.250.250.0/24 lookup 11 priority 150 ``` 5. Start the containers: `sudo docker compose up -d` 6. Test the connection (**failed**): `sudo docker exec -it containerB curl 192.168.122.50:80` 7. Cleanup: `sudo docker compose down` 8. Rollback to previous Docker version (`28.5.2`) ``` sudo apt remove -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin && \ VERSION_STRING=5:28.5.2-1~debian.13~trixie && \ sudo apt install docker-ce=$VERSION_STRING docker-ce-cli=$VERSION_STRING containerd.io docker-buildx-plugin docker-compose-plugin ``` 9. Start the containers: `sudo docker compose up -d` 10. Test the connection (**success**): `sudo docker exec -it containerB curl 192.168.122.50:80` 11. Cleanup: `sudo docker compose down` ### Expected behavior The connection test works with the latest version of Docker in point 6. ### docker version ```bash Client: Docker Engine - Community Version: 29.0.1 API version: 1.52 Go version: go1.25.4 Git commit: eedd969 Built: Fri Nov 14 16:20:43 2025 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 29.0.1 API version: 1.52 (minimum version 1.44) Go version: go1.25.4 Git commit: 198b5e3 Built: Fri Nov 14 16:17:32 2025 OS/Arch: linux/amd64 Experimental: false containerd: Version: v2.1.5 GitCommit: fcd43222d6b07379a4be9786bda52438f0dd16a1 runc: Version: 1.3.3 GitCommit: v1.3.3-0-gd842d771 docker-init: Version: 0.19.0 GitCommit: de40ad0 ``` ### docker info ```bash Client: Docker Engine - Community Version: 29.0.1 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.30.0 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.40.3 Path: /usr/libexec/docker/cli-plugins/docker-compose Server: Containers: 9 Running: 9 Paused: 0 Stopped: 0 Images: 8 Server Version: 29.0.1 Storage Driver: overlayfs driver-type: io.containerd.snapshotter.v1 Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog CDI spec directories: /etc/cdi /var/run/cdi Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: fcd43222d6b07379a4be9786bda52438f0dd16a1 runc version: v1.3.3-0-gd842d771 init version: de40ad0 Security Options: seccomp Profile: builtin cgroupns Kernel Version: 6.17.7-300.fc43.x86_64 Operating System: Fedora Linux 43 (Server Edition) OSType: linux Architecture: x86_64 CPUs: 8 Total Memory: 62.48GiB Name: p.kinit.hu ID: 1e8e810e-ad91-4f89-8084-5e07fe058be9 Docker Root Dir: /var/lib/docker Debug Mode: false Experimental: false Insecure Registries: ::1/128 127.0.0.0/8 Live Restore Enabled: false Firewall Backend: iptables+firewalld ``` ### Additional Info Output of `docker version` on Debian after the failed test in the Reproduce section: ``` $ sudo docker version Client: Docker Engine - Community Version: 29.0.1 API version: 1.52 Go version: go1.25.4 Git commit: eedd969 Built: Fri Nov 14 16:18:05 2025 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 29.0.1 API version: 1.52 (minimum version 1.44) Go version: go1.25.4 Git commit: 198b5e3 Built: Fri Nov 14 16:18:05 2025 OS/Arch: linux/amd64 Experimental: false containerd: Version: v2.1.5 GitCommit: fcd43222d6b07379a4be9786bda52438f0dd16a1 runc: Version: 1.3.3 GitCommit: v1.3.3-0-gd842d771 docker-init: Version: 0.19.0 GitCommit: de40ad0 ``` Output of `docker info` on Debian after the failed test in the Reproduce section: ``` $ sudo docker info Client: Docker Engine - Community Version: 29.0.1 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.30.0 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.40.3 Path: /usr/libexec/docker/cli-plugins/docker-compose Server: Containers: 2 Running: 2 Paused: 0 Stopped: 0 Images: 1 Server Version: 29.0.1 Storage Driver: overlayfs driver-type: io.containerd.snapshotter.v1 Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog CDI spec directories: /etc/cdi /var/run/cdi Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: fcd43222d6b07379a4be9786bda52438f0dd16a1 runc version: v1.3.3-0-gd842d771 init version: de40ad0 Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 6.12.57+deb13-amd64 Operating System: Debian GNU/Linux 13 (trixie) OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 3.829GiB Name: debianinit ID: 3dbdd091-cae6-4e06-a435-80fac099e0eb Docker Root Dir: /var/lib/docker Debug Mode: false Experimental: false Insecure Registries: 127.0.0.0/8 ::1/128 Live Restore Enabled: false Firewall Backend: iptables ``` Output of `docker version` on Debian after the succeeded test in the Reproduce section: ``` $ sudo docker version Client: Docker Engine - Community Version: 28.5.2 API version: 1.51 Go version: go1.25.3 Git commit: ecc6942 Built: Wed Nov 5 14:43:33 2025 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 28.5.2 API version: 1.51 (minimum version 1.24) Go version: go1.25.3 Git commit: 89c5e8f Built: Wed Nov 5 14:43:33 2025 OS/Arch: linux/amd64 Experimental: false containerd: Version: v2.1.5 GitCommit: fcd43222d6b07379a4be9786bda52438f0dd16a1 runc: Version: 1.3.3 GitCommit: v1.3.3-0-gd842d771 docker-init: Version: 0.19.0 GitCommit: de40ad0 ``` Output of `docker info` on Debian after the succeeded test in the Reproduce section: ``` $ sudo docker info Client: Docker Engine - Community Version: 28.5.2 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.30.0 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.40.3 Path: /usr/libexec/docker/cli-plugins/docker-compose Server: Containers: 2 Running: 2 Paused: 0 Stopped: 0 Images: 1 Server Version: 28.5.2 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog CDI spec directories: /etc/cdi /var/run/cdi Swarm: inactive Runtimes: runc io.containerd.runc.v2 Default Runtime: runc Init Binary: docker-init containerd version: fcd43222d6b07379a4be9786bda52438f0dd16a1 runc version: v1.3.3-0-gd842d771 init version: de40ad0 Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 6.12.57+deb13-amd64 Operating System: Debian GNU/Linux 13 (trixie) OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 3.829GiB Name: debianinit ID: 3dbdd091-cae6-4e06-a435-80fac099e0eb Docker Root Dir: /var/lib/docker Debug Mode: false Experimental: false Insecure Registries: ::1/128 127.0.0.0/8 Live Restore Enabled: false ```

Thank you for your help anyways!

Topic		Replies	Views
Routing internal network impossible in Beta9 Docker Desktop	0	714	May 3, 2016
Fatal iptables/host port errors on 'docker run' after updating to beta18 Docker Desktop	1	2467	July 21, 2016
Docker with two differents gateways General docker	0	824	July 5, 2017
How can diagnose issue with Docker not routing my packets? Docker Desktop docker , macos	0	3262	December 28, 2017
Docker with two differents gateways General docker	0	881	June 14, 2017

Docker 29 breaks policy routing

Related topics