--iptables=false ignored by dockerd

txmichel · January 28, 2020, 4:29pm

Hello,

I want to use docker (Docker version 19.03.5, build 633a0ea838) with Debian 10 where iptables was replaced by nftables. Therefore I tried to disable iptables configuration by dockerd.

When starting dockerd with option --iptables=false or { "iptables": false } in daemon.json there are still rules created via iptables.

Running for example dockerd --debug --iptables=false gives me:

...
WARN[2020-01-28T16:26:39.438708412+01:00] Running iptables --wait -t nat -L -n failed with message: `iptables v1.8.2
(nf_tables): table `nat' is incompatible, use 'nft' tool.`, error: exit status 1                                     
 DEBU[2020-01-28T16:26:39.447944938+01:00] /usr/sbin/iptables, [--wait -t filter -n -L DOCKER-USER]  
DEBU[2020-01-28T16:26:39.449681166+01:00] /usr/sbin/iptables, [--wait -t filter -N DOCKER-USER]                      
...

That ends up having following rules added to my active nftables ruleset:

...
table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority -100; policy accept;
    }
    chain INPUT {
        type nat hook input priority 100; policy accept;
    }
    chain POSTROUTING {
        type nat hook postrouting priority 100; policy accept;                                              
    }
    chain OUTPUT {
        type nat hook output priority -100; policy accept;                                                  
    }
}

table ip filter {
    chain INPUT {
        type filter hook input priority 0; policy accept;                                                   
    }
    chain FORWARD {
        type filter hook forward priority 0; policy accept;                                                 
        counter packets 0 bytes 0 jump DOCKER-USER                                                          
    }
    chain OUTPUT {
        type filter hook output priority 0; policy accept;                                                  
    }
    chain DOCKER-USER {
        counter packets 0 bytes 0 return
    }
}

When restarting nftables the mentioned rules which where added by docker are gone and the containers work as expected (I have nftables rules in place that take care of the container connectivity.).

I am sure the option is read by the daemon, because when specified in daemon.json and Command Line I get following error:

unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the configuration file: iptables: (from flag: false, from file: false)

Does someone has an idea what is going wrong? How can I prevent creation of the additional rules?

Thank you!

Thomas

txmichel · January 31, 2020, 6:08am

In Debian Buster the command iptables is a symbolic link to /etc/alternatives/iptables.

As a workaround I pointed that link to an empty script.

Thomas