Bug#921600: docker.io: use of iptables-legacy is incompatible with nftables-based iptables

Wed, 06 Feb 2019 20:16:36 -0800 

  Hi,

did you report that issue upstream? I found a related thread at:

  https://github.com/moby/moby/issues/26824

This thread mentions a workaround: deactivate the iptables integration
via |--iptables=false| and then set the right rules for nftables by hand.

I'm not so really familiar with network filtering, but I think we can't
do much here, only upstream can work on that. Feel free to share your
use-case with them :)

  Arnaud

On 2/7/19 9:53 AM, brian m. carlson wrote:
> Package: docker.io
> Version: 18.09.1+dfsg1-5
> Severity: important
>
> I run Docker on my laptop to allow me to test various environments,
> such as Debian stable. I also use ufw to provide a firewall to restrict
> access to most ports.
>
> However, these two programs are incompatible. ufw uses the
> nftables-based iptables and restricts forwarding. Docker uses
> iptables-legacy, but because the nftables-based rules take precedence,
> forwarding doesn't occur, and hence networking is broken (TCP and UDP
> don't work).
>
> Since programs are going to increasingly use the regular iptables, it's
> important that Docker function with whatever option is the default.
>
> -- System Information:
> Debian Release: buster/sid
>   APT prefers unstable-debug
>   APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
> (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
> LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages docker.io depends on:
> ii  adduser             3.118
> ii  iptables            1.8.2-3
> ii  libc6               2.28-6
> ii  libdevmapper1.02.1  2:1.02.155-2
> ii  libltdl7            2.4.6-9
> ii  libnspr4            2:4.20-1
> ii  libnss3             2:3.42-1
> ii  libseccomp2         2.3.3-3
> ii  libsystemd0         240-5
> ii  lsb-base            10.2018112800
> ii  runc                1.0.0~rc6+dfsg1-1
> ii  tini                0.18.0-1
>
> Versions of packages docker.io recommends:
> ii  ca-certificates  20190110
> ii  cgroupfs-mount   1.4
> ii  git              1:2.20.1+next.20190129-1
> pn  needrestart      <none>
> ii  xz-utils         5.2.4-1
>
> Versions of packages docker.io suggests:
> pn  aufs-tools           <none>
> pn  btrfs-progs          <none>
> ii  debootstrap          1.0.114
> pn  docker-doc           <none>
> ii  e2fsprogs            1.44.5-1
> ii  rinse                3.3
> pn  xfsprogs             <none>
> pn  zfs-fuse | zfsutils  <none>
>
> -- no debconf information
>

Reply via email to