DOCKER-USER chain for ip6tables

Our system has some iptables firewall rules on DOCKER-USER chain. Now I want to see if we can add similar rules with ip6tables. But I do not see both DOCKER and DOCKER-USER chains for ip6tables. Is there a way to achieve this with ip6tables?

The docker version is 19.03.8-ce.

Thanks.

Maybe I did not make my question clearer. Below are the command outputs:

vm12:~# ip6tables -S | grep DOCKER-USER

vm12:~# iptables -S | grep DOCKER-USER
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -j RETURN

Can some docker expert answer my question?

Thanks.

I have read your question 3 days ago and it was clear to me, but don’t use IPv6 for containers so I was waiting for someone who uses IPv6. Now I checked the documentation and also searched for “ipv6 iptables docker” and I found that ipv6 iptables rules are not enabled by default and that is still an experimental feature.

--iptables          Enable addition of iptables rules (default true)
--ip6tables         Enable addition of ip6tables rules (default false)

When you enable ip6tables you also need

--experimental      Enable experimental features

Or in the daemon json

{
    "experimental": true,
    "ipv6": true,
    "ip6tables": true,
    "fixed-cidr-v6": "fd9e:63ac:6dcd::/48"
}

My first source where I found this json before checking the docs:

I saw this article before I posted my question:

Does this mean we need to upgrade our docker engine to 20.10, right?

Then it looks like it does.

Thanks. Will try to upgrade and see.

I am on docker 20.10 and the different docker chain appear in ip6tables but I doesn’t have the DOCKER-USER

docker version :

Client: Docker Engine - Community
 Version:           20.10.23
 API version:       1.41
 Go version:        go1.18.10
 Git commit:        7155243
 Built:             Thu Jan 19 17:34:13 2023
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.23
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.10
  Git commit:       6051f14
  Built:            Thu Jan 19 17:32:04 2023
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.6.15
  GitCommit:        5b842e528e99d4d4c1686467debf2bd4b88ecd86
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

ip6tables -L -v -n

Chain INPUT (policy ACCEPT 3475 packets, 598K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0                 udp dpt:443
15534 2622K ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:443
   18  1755 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:80
16000 1582K ACCEPT     icmpv6    *      *       ::/0                 ::/0                
   15  2116 ACCEPT     tcp      *      *       ::/0                 ::/0                 tcp dpt:22
97069   75M ACCEPT     all      *      *       ::/0                 ::/0                 ctstate ESTABLISHED
  227 22160 DROP       all      eth0   *       ::/0                 ::/0                

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   62 10256 DOCKER-ISOLATION-STAGE-1  all      *      *       ::/0                 ::/0                
    3   312 ACCEPT     all      *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all      *      docker0  ::/0                 ::/0                
   59  9944 ACCEPT     all      docker0 !docker0  ::/0                 ::/0                
    0     0 ACCEPT     all      docker0 docker0  ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 144K packets, 95M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   59  9944 DOCKER-ISOLATION-STAGE-2  all      docker0 !docker0  ::/0                 ::/0                
   62 10256 RETURN     all      *      *       ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      *      docker0  ::/0                 ::/0                
   59  9944 RETURN     all      *      *       ::/0                 ::/0 

Do you have the following in daemon.json?

{
“experimental”: true,
“ipv6”: true,
“ip6tables”: true,
“fixed-cidr-v6”: “fd9e:63ac:6dcd::/48”
}

Here is the default chain for iptables:

host:~# iptables -S | grep DOCKER-USER
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -j RETURN

What is the output of ip6tables -S?

cat /etc/docker/daemon.json

{
    "ipv6": true,
    "experimental": true,
    "ip6tables": true,
    "fixed-cidr-v6": "fd00:dead:beef::/48",
    "runtimes": {
        "sysbox-runc": {
            "path": "/usr/bin/sysbox-runc"
        }
    },
    "bip": "172.20.0.1/16",
    "default-address-pools": [
        {
            "base": "172.25.0.0/16",
            "size": 24
        }
    ]
}

iptables -S | grep DOCKER-USER

-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eth0 -j DROP
-A DOCKER-USER -j RETURN

ip6tables -S | grep DOCKER-USER
no ouput

Thanks for sharing this info. Per Docker and iptables | Docker Documentation, user should use DOCKER-USER chain for iptables. But it has not mentioned the same for ip6tables. Can some docker expert please provide an answer to this?

I checked the sourcecode of Docker and I found that “DOCKER-USER” is mentioned in the “libnetwork” library which doesn’t support this chain for IPv6. You can find the TODO line which was added two and a half years ago and it was the last commit on that file

@rimelek, Thank you so much to confirm this. Any idea when this will be supported?

No idea :slight_smile: But there is a request on GitHub. You could add your comments to the issue and hopefully someone eventually replies

Thanks for the info.