With iptables=false dockerd still creates DOCKER-USER chain and rules #35777

robnagler · 2017-12-12T18:04:55Z

Description

When iptables=false, dockerd still creates iptables chain and rules:

-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -j RETURN

Steps to reproduce the issue:

Fresh install of docker, set iptables=false in daemon.json or systemd unit file
systemctl start docker

Describe the results you received:

iptables -S produces after starting dockerd:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -j RETURN

Describe the results you expected:

iptables -S should produce:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Additional information you deem important (e.g. issue happens only occasionally):

Repeatable.

Output of docker version:

Client:
 Version:      17.09.1-ce
 API version:  1.32
 Go version:   go1.8.3
 Git commit:   19e2cf6
 Built:        Thu Dec  7 22:23:40 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.09.1-ce
 API version:  1.32 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   19e2cf6
 Built:        Thu Dec  7 22:25:03 2017
 OS/Arch:      linux/amd64
 Experimental: false

Output of docker info:

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 0
Server Version: 17.09.1-ce
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: journald
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 3.10.0-693.11.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 40
Total Memory: 62.71GiB
Name: fnl4b.bivio.biz
ID: PWPC:6VWA:6HIQ:K5MV:G2CK:TIHG:PSLM:HB73:DXXM:DQCI:2A4R:IFLC
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: true

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Additional environment details (AWS, VirtualBox, physical, etc.):

physical CentOS 7 box:

Linux fnl4b.bivio.biz 3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

The text was updated successfully, but these errors were encountered:

rvRamakrishnan · 2018-01-11T09:12:52Z

I am observing the same issue in Docker Versions 17.06.2, 17.12.0 as well. Is there any recent updates on this issue? Thanks

TheRealAstroboy · 2018-01-11T10:46:41Z

I am observing the same issue in Docker Versions 17.06.2, 17.12.0 as well. Is there any recent updates on this issue?

Debian Stretch (9) running UFW :

sudo docker version result :

Client:
 Version:       17.12.0-ce
 API version:   1.35
 Go version:    go1.9.2
 Git commit:    c97c6d6
 Built: Wed Dec 27 20:11:19 2017
 OS/Arch:       linux/amd64

Server:
 Engine:
  Version:      17.12.0-ce
  API version:  1.35 (minimum version 1.12)
  Go version:   go1.9.2
  Git commit:   c97c6d6
  Built:        Wed Dec 27 20:09:54 2017
  OS/Arch:      linux/amd64
  Experimental: false

sudo docker info result :

Containers: 3
 Running: 2
 Paused: 0
 Stopped: 1
Images: 12
Server Version: 17.12.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.0-4-amd64
Operating System: Debian GNU/Linux 9 (stretch)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 3.77GiB
Name: XXXXXXXXXXXXXXXXXX
ID: XWJT:GRWP:K36B:KXZM:F7N3:PYE3:WWP4:JCTQ:BK5O:LJON:VNPR:M4OP
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 35
 Goroutines: 45
 System Time: 2018-01-11T11:54:30.15158472+01:00
 EventsListeners: 0
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

/etc/docker/daemon.json :
{ "iptables": false, "dns": ["80.67.169.12", "80.67.169.40"], "debug":true }

sudo iptables -L -n -t nat result :

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.19.0.0/16        0.0.0.0/0
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0
MASQUERADE  all  --  172.18.0.0/16        0.0.0.0/0
MASQUERADE  tcp  --  172.18.0.2           172.18.0.2           tcp dpt:5601
MASQUERADE  all  --  10.8.0.0/24          0.0.0.0/0
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5601 to:172.18.0.2:5601

@GordonTheTurtle Same here with 7.12.0-ce :°-(

tianon · 2018-08-14T03:50:05Z

Just for completeness, this is also filed over at docker/for-linux#136 (not sure if one or the other should be closed?)

elboulangero · 2019-04-25T03:09:23Z

This was also reported in the debian bug reports, and is now a blocker for the buster release: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903635

full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby#28689 Embedded DNS is case-sensitive - addresses moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby/moby#28689 Embedded DNS is case-sensitive - addresses moby/moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: 344b093258fcb2195fa393081e5224a6c766c798 Component: engine

full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby#28689 Embedded DNS is case-sensitive - addresses moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 344b093) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby/moby#28689 Embedded DNS is case-sensitive - addresses moby/moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 344b093258fcb2195fa393081e5224a6c766c798) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: f3e1aff81df959e9178433b77e7f3364c22aee59 Component: engine

full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby#28689 Embedded DNS is case-sensitive - addresses moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: zach <Zachary.Joyner@linux.com>

full diff: moby/libnetwork@0025177...90afbb0 includes: - docker/libnetwork#/2459 Fix Error Check in NewNetwork - docker/libnetwork#/2466 Revert "Merge pull request moby#2339 from phyber/iptables-check" - reverts docker/libnetwork#/2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - re-opens moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - re-opens moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - re-opens docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

full diff: moby/libnetwork@0025177...90afbb0 includes: - docker/libnetwork#/2459 Fix Error Check in NewNetwork - docker/libnetwork#/2466 Revert "Merge pull request #2339 from phyber/iptables-check" - reverts docker/libnetwork#/2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - re-opens moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - re-opens moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - re-opens docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: 9cf349d0f80d2399cdfad0321e0f181c2e7efa17 Component: engine

GordonTheTurtle added the version/17.09 label Dec 12, 2017

thaJeztah added the area/networking label Dec 13, 2017

tianon mentioned this issue Aug 14, 2018

dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway docker/for-linux#136

Open

1 task

tianon mentioned this issue Aug 14, 2018

[feature request] nftables support #26824

Open

phyber mentioned this issue Feb 20, 2019

controller: Check if IPTables is enabled for arrangeUserFilterRule moby/libnetwork#2339

Merged

tipruzs mentioned this issue Apr 25, 2019

Weave: NetPol issue with namespaceSelector across different hosts kontena/pharos-cluster#1302

Closed

thaJeztah mentioned this issue Jun 25, 2019

bump libnetwork. vishvananda/netlink 1.0, vishvananda/netns #39054

Merged

tiborvass closed this as completed in #39054 Jun 27, 2019

thaJeztah mentioned this issue Aug 22, 2019

[19.03 backport] bump libnetwork to 92d1fbe1eb0883cf11d283cea8e658275146411d docker-archive/engine#330

Merged

thaJeztah mentioned this issue Nov 7, 2019

Revert "Merge pull request #2339 from phyber/iptables-check" moby/libnetwork#2466

Merged

thaJeztah mentioned this issue Nov 7, 2019

bump libnetwork 90afbb01e1d8acacb505a092744ea42b9f167377 #40192

Merged

bgamari mentioned this issue May 11, 2020

nftables service cannot be restarted due to checkscript NixOS/nixpkgs#24318

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

With iptables=false dockerd still creates DOCKER-USER chain and rules #35777

With iptables=false dockerd still creates DOCKER-USER chain and rules #35777

robnagler commented Dec 12, 2017

rvRamakrishnan commented Jan 11, 2018

TheRealAstroboy commented Jan 11, 2018 •

edited

Loading

tianon commented Aug 14, 2018

elboulangero commented Apr 25, 2019

With iptables=false dockerd still creates DOCKER-USER chain and rules #35777

With iptables=false dockerd still creates DOCKER-USER chain and rules #35777

Comments

robnagler commented Dec 12, 2017

rvRamakrishnan commented Jan 11, 2018

TheRealAstroboy commented Jan 11, 2018 • edited Loading

tianon commented Aug 14, 2018

elboulangero commented Apr 25, 2019

TheRealAstroboy commented Jan 11, 2018 •

edited

Loading