I’m trying to find the best way to restore the iptables rules that Docker creates (vis-a-vis nftables). I read that enabling live-restore would help with this, as long as we send a HUP to the docker daemon process. I can confirm that live-restore keeps our container running, but it does not appear to restore the firewall rules. Has anyone observed this?

OS Version/build: RedHat 9
App version: Docker 24.0.2 CE
Steps to reproduce:

1. Enable live-restore in daemon.json
2. Restart docker one to enable
3. Reload nftables (clears the Docker rules)
4. Run systemctl reload docker or /bin/kill -s SIGHUP <docker_pid>
5. Observe that the running containers remained running
6. Check the output of nft list ruleset and observe that the Docker rules have not been recreated

Calling this feature “live restore” is a little confusing. The documentation says:

Live restore allows you to keep containers running across Docker daemon updates

It also mentions

If you skip releases during an upgrade, the daemon may not restore its connection to the containers.

So it restores the connection to containers but as far as I know it won’t restore what you destroy.