Control: tags -1 confirmed On 2024-11-09, at 18:39:33 +0000, Dan Christovic wrote: > Package: iptables > Version: 1.8.11-1 > Severity: important > > Dear Maintainer, > > I have since downgraded to the trixie packages & dependencies to get myself > back up and running. > > > * What led up to the situation? > Upgraded my system and any Docker containers that were on a bridge network > (created with docker network create) no longer had network access beyond > localhost > > * What exactly did you do (or not do) that was effective (or > ineffective)? > Downgraded to 1.8.10-4 from trixie > * What was the outcome of this action? > FORWARD rules for my created docker network were inserted after I downgraded > and restarted the docker systemd service. > * What outcome did you expect instead? > The checks to fail. > > Essentially, when docker starts up, it seems to use the -C command of > iptables to check whether a rule has been inserted correctly. When I run what > docker runs manually (iptables -v --wait -t filter -C FORWARD -i > br-e52603214070 -o br-e52603214070 -j ACCEPT) with the verbose flag, it > returns this rule: -A FORWARD -i docker0 -o docker0 -j ACCEPT > > > -- System Information: > Debian Release: trixie/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 6.11.6-amd64 (SMP w/12 CPU threads; PREEMPT) > Kernel taint flags: TAINT_USER > Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages iptables depends on: > ii libc6 2.40-3 > ii libip4tc2 1.8.10-4+b1 > ii libip6tc2 1.8.10-4+b1 > ii libmnl0 1.0.5-3 > ii libnetfilter-conntrack3 1.1.0-1 > ii libnfnetlink0 1.0.2-3 > ii libnftnl11 1.2.8-1 > ii libxtables12 1.8.10-4+b1 > ii netbase 6.4 > > Versions of packages iptables recommends: > ii nftables 1.1.1-1 > > Versions of packages iptables suggests: > pn firewalld <none> > ii kmod 33+20240816-2 > > -- no debconf information >
I have reproduced this. Here's docker debug logging when creating a new
network with iptables/testing:
2024-11-17T16:05:04.522005+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.521606672Z" level=debug msg="Calling HEAD /_ping"
spanID=24bf5d063aac4d20 traceID=e4b08dd1f0ff245dac84f881f8847053
2024-11-17T16:05:04.522154+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.522106339Z" level=debug msg="Calling POST
/v1.45/networks/create" spanID=b237376ab996961e
traceID=09b350a4bcadee51404c1ea3cc4e5488
2024-11-17T16:05:04.522241+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.522197951Z" level=debug msg="form data:
{\"Attachable\":false,\"ConfigFrom\":null,\"ConfigOnly\":false,\"Driver\":\"bridge\",\"EnableIPv6\":false,\"IPAM\":{\"Config\":[],\"Driver\":\"default\",\"Options\":{}},\"Ingress\":false,\"Internal\":false,\"Labels\":{},\"Name\":\"test\",\"Options\":{},\"Scope\":\"\"}"
spanID=b237376ab996961e traceID=09b350a4bcadee51404c1ea3cc4e5488
2024-11-17T16:05:04.522641+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.522339386Z" level=debug msg="Allocating IPv4 pools
for network test
(579be4777b6dd52619b4af842b683d625b56a18e75cc25ff6b6e851e51f30b26)"
2024-11-17T16:05:04.522711+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.522352020Z" level=debug
msg="RequestPool(LocalDefault, , , _, false)"
2024-11-17T16:05:04.522808+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.522586810Z" level=debug
msg="RequestAddress(LocalDefault/172.19.0.0/16, <nil>,
map[RequestAddressType:com.docker.network.gateway])"
2024-11-17T16:05:04.522848+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.522619792Z" level=debug msg="Request address
PoolID:172.19.0.0/16 Bits: 65536, Unselected: 65534, Sequence: (0x80000000,
1)->(0x0, 2046)->(0x1, 1)->end Curr:0 Serial:false PrefAddress:invalid IP "
2024-11-17T16:05:04.522881+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.522671128Z" level=debug msg="Did not find any
interface with name br-579be4777b6d: Link not found"
2024-11-17T16:05:04.522917+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.522690474Z" level=debug msg="Setting bridge mac
address to 02:42:63:aa:59:ce"
2024-11-17T16:05:04.523329+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.523296621Z" level=debug msg="Assigning address to
bridge interface br-579be4777b6d: 172.19.0.1/16"
2024-11-17T16:05:04.523408+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.523379867Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C POSTROUTING -s 172.19.0.0/16 ! -o br-579be4777b6d -j
MASQUERADE]"
2024-11-17T16:05:04.524696+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.524670567Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -I POSTROUTING -s 172.19.0.0/16 ! -o br-579be4777b6d -j
MASQUERADE]"
2024-11-17T16:05:04.525639+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.525619275Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C DOCKER -i br-579be4777b6d -j RETURN]"
2024-11-17T16:05:04.526632+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.526602068Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -I DOCKER -i br-579be4777b6d -j RETURN]"
2024-11-17T16:05:04.527741+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.527716327Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C POSTROUTING -m addrtype --src-type LOCAL -o br-579be4777b6d
-j MASQUERADE]"
2024-11-17T16:05:04.529505+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.529481326Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -i br-579be4777b6d -o br-579be4777b6d -j DROP]"
2024-11-17T16:05:04.530586+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.530563816Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -i br-579be4777b6d -o br-579be4777b6d -j ACCEPT]"
2024-11-17T16:05:04.531673+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.531647107Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -I FORWARD -i br-579be4777b6d -o br-579be4777b6d -j ACCEPT]"
2024-11-17T16:05:04.532615+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.532595265Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -i br-579be4777b6d ! -o br-579be4777b6d -j ACCEPT]"
2024-11-17T16:05:04.533648+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.533628041Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -I FORWARD -i br-579be4777b6d ! -o br-579be4777b6d -j ACCEPT]"
2024-11-17T16:05:04.534591+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.534572131Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
2024-11-17T16:05:04.535603+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.535585401Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
2024-11-17T16:05:04.536591+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.536571680Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst
127.0.0.0/8]"
2024-11-17T16:05:04.537644+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.537604637Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst
127.0.0.0/8]"
2024-11-17T16:05:04.538694+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.538672920Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -o br-579be4777b6d -j DOCKER]"
2024-11-17T16:05:04.539733+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.539712990Z" level=debug msg="/usr/sbin/iptables,
[--wait -I FORWARD -o br-579be4777b6d -j DOCKER]"
2024-11-17T16:05:04.540603+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.540584434Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -o br-579be4777b6d -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT]"
2024-11-17T16:05:04.541582+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.541560885Z" level=debug msg="/usr/sbin/iptables,
[--wait -I FORWARD -o br-579be4777b6d -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT]"
2024-11-17T16:05:04.542552+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.542532256Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -j DOCKER-ISOLATION-STAGE-1]"
2024-11-17T16:05:04.543631+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.543601330Z" level=debug msg="/usr/sbin/iptables,
[--wait -D FORWARD -j DOCKER-ISOLATION-STAGE-1]"
2024-11-17T16:05:04.610788+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.610754087Z" level=debug msg="/usr/sbin/iptables,
[--wait -I FORWARD -j DOCKER-ISOLATION-STAGE-1]"
2024-11-17T16:05:04.611734+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.611706483Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C DOCKER-ISOLATION-STAGE-1 -i br-579be4777b6d ! -o
br-579be4777b6d -j DOCKER-ISOLATION-STAGE-2]"
2024-11-17T16:05:04.612670+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.612642839Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -I DOCKER-ISOLATION-STAGE-1 -i br-579be4777b6d ! -o
br-579be4777b6d -j DOCKER-ISOLATION-STAGE-2]"
2024-11-17T16:05:04.613488+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.613462325Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C DOCKER-ISOLATION-STAGE-2 -o br-579be4777b6d -j DROP]"
2024-11-17T16:05:04.614380+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.614355900Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -I DOCKER-ISOLATION-STAGE-2 -o br-579be4777b6d -j DROP]"
2024-11-17T16:05:04.685215+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.685173158Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -n -L DOCKER-USER]"
2024-11-17T16:05:04.687062+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.687027294Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C DOCKER-USER -j RETURN]"
2024-11-17T16:05:04.687962+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.687931590Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -j DOCKER-USER]"
2024-11-17T16:05:04.688927+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.688897210Z" level=debug msg="/usr/sbin/iptables,
[--wait -D FORWARD -j DOCKER-USER]"
2024-11-17T16:05:04.710794+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:05:04.710746316Z" level=debug msg="/usr/sbin/iptables,
[--wait -I FORWARD -j DOCKER-USER]"
This is what I see with iptables/1.8.11-1:
2024-11-17T16:06:23.506837+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.506342860Z" level=debug msg="Calling HEAD /_ping"
spanID=5dd9209c76ed0509 traceID=b8601f61654d950284078b0ff21a94cb
2024-11-17T16:06:23.515005+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.514941512Z" level=debug msg="Calling POST
/v1.45/networks/create" spanID=9b3d628dfe90d929
traceID=e3e388c1230c8096c646489f28f566eb
2024-11-17T16:06:23.515081+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.515029086Z" level=debug msg="form data:
{\"Attachable\":false,\"ConfigFrom\":null,\"ConfigOnly\":false,\"Driver\":\"bridge\",\"EnableIPv6\":false,\"IPAM\":{\"Config\":[],\"Driver\":\"default\",\"Options\":{}},\"Ingress\":false,\"Internal\":false,\"Labels\":{},\"Name\":\"test\",\"Options\":{},\"Scope\":\"\"}"
spanID=9b3d628dfe90d929 traceID=e3e388c1230c8096c646489f28f566eb
2024-11-17T16:06:23.515216+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.515178075Z" level=debug msg="Allocating IPv4 pools
for network test
(877c2805dc7c020b9d4c439dbf87d344588926719aa37944ff31962f97db37ef)"
2024-11-17T16:06:23.515261+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.515192923Z" level=debug
msg="RequestPool(LocalDefault, , , _, false)"
2024-11-17T16:06:23.515402+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.515365547Z" level=debug
msg="RequestAddress(LocalDefault/172.20.0.0/16, <nil>,
map[RequestAddressType:com.docker.network.gateway])"
2024-11-17T16:06:23.515454+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.515391035Z" level=debug msg="Request address
PoolID:172.20.0.0/16 Bits: 65536, Unselected: 65534, Sequence: (0x80000000,
1)->(0x0, 2046)->(0x1, 1)->end Curr:0 Serial:false PrefAddress:invalid IP "
2024-11-17T16:06:23.515502+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.515435017Z" level=debug msg="Did not find any
interface with name br-877c2805dc7c: Link not found"
2024-11-17T16:06:23.515551+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.515455345Z" level=debug msg="Setting bridge mac
address to 02:42:3a:85:27:14"
2024-11-17T16:06:23.516060+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.516018261Z" level=debug msg="Assigning address to
bridge interface br-877c2805dc7c: 172.20.0.1/16"
2024-11-17T16:06:23.516134+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.516094534Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C POSTROUTING -s 172.20.0.0/16 ! -o br-877c2805dc7c -j
MASQUERADE]"
2024-11-17T16:06:23.517431+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.517399490Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -I POSTROUTING -s 172.20.0.0/16 ! -o br-877c2805dc7c -j
MASQUERADE]"
2024-11-17T16:06:23.518682+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.518656567Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C DOCKER -i br-877c2805dc7c -j RETURN]"
2024-11-17T16:06:23.519795+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.519763603Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C POSTROUTING -m addrtype --src-type LOCAL -o br-877c2805dc7c
-j MASQUERADE]"
2024-11-17T16:06:23.520878+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.520853576Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -i br-877c2805dc7c -o br-877c2805dc7c -j DROP]"
2024-11-17T16:06:23.522613+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.522583770Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -i br-877c2805dc7c -o br-877c2805dc7c -j ACCEPT]"
2024-11-17T16:06:23.523677+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.523656522Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -i br-877c2805dc7c ! -o br-877c2805dc7c -j ACCEPT]"
2024-11-17T16:06:23.524694+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.524674761Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
2024-11-17T16:06:23.525665+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.525645331Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
2024-11-17T16:06:23.526627+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.526603718Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst
127.0.0.0/8]"
2024-11-17T16:06:23.527574+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.527555292Z" level=debug msg="/usr/sbin/iptables,
[--wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst
127.0.0.0/8]"
2024-11-17T16:06:23.528552+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.528524268Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -o br-877c2805dc7c -j DOCKER]"
2024-11-17T16:06:23.529594+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.529573095Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -o br-877c2805dc7c -j DOCKER]"
2024-11-17T16:06:23.530605+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.530583439Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -o br-877c2805dc7c -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT]"
2024-11-17T16:06:23.531579+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.531560832Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -o br-877c2805dc7c -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT]"
2024-11-17T16:06:23.532533+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.532516033Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -j DOCKER-ISOLATION-STAGE-1]"
2024-11-17T16:06:23.533381+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.533365425Z" level=debug msg="/usr/sbin/iptables,
[--wait -D FORWARD -j DOCKER-ISOLATION-STAGE-1]"
2024-11-17T16:06:23.582884+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.582847651Z" level=debug msg="/usr/sbin/iptables,
[--wait -I FORWARD -j DOCKER-ISOLATION-STAGE-1]"
2024-11-17T16:06:23.583720+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.583696903Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C DOCKER-ISOLATION-STAGE-1 -i br-877c2805dc7c ! -o
br-877c2805dc7c -j DOCKER-ISOLATION-STAGE-2]"
2024-11-17T16:06:23.584570+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.584549041Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C DOCKER-ISOLATION-STAGE-2 -o br-877c2805dc7c -j DROP]"
2024-11-17T16:06:23.673011+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.672958863Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -n -L DOCKER-USER]"
2024-11-17T16:06:23.674173+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.674126873Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C DOCKER-USER -j RETURN]"
2024-11-17T16:06:23.675140+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.675097423Z" level=debug msg="/usr/sbin/iptables,
[--wait -t filter -C FORWARD -j DOCKER-USER]"
2024-11-17T16:06:23.676017+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.675975770Z" level=debug msg="/usr/sbin/iptables,
[--wait -D FORWARD -j DOCKER-USER]"
2024-11-17T16:06:23.698906+00:00 ulthar dockerd[30785]:
time="2024-11-17T16:06:23.698853263Z" level=debug msg="/usr/sbin/iptables,
[--wait -I FORWARD -j DOCKER-USER]"
J.
signature.asc
Description: PGP signature
