Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER #2158

Closed
user318 opened this issue May 24, 2018 · 0 comments · Fixed by moby/moby#39054
Closed

dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER #2158

user318 opened this issue May 24, 2018 · 0 comments · Fixed by moby/moby#39054

Comments

@user318
Copy link

user318 commented May 24, 2018

If dockerd is run with --iptables=false option, it skips most of iptables stuff. But still interfere a bit. Here is what I get when run dockerd with --iptables=false:

*filter
:INPUT ACCEPT [12730:1832196]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [54:6656]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -j RETURN

Is it possible for docker not to touch iptables at all?
@phyber phyber mentioned this issue Feb 20, 2019
Merged
thaJeztah added a commit to thaJeztah/docker that referenced this issue Jun 25, 2019
@thaJeztah
bump libnetwork. vishvananda/netlink 1.0, vishvananda/netns
344b093 
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby#28689 Embedded DNS is case-sensitive
  - addresses moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this issue Jun 25, 2019
Merged
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Jun 27, 2019
@thaJeztah
bump libnetwork. vishvananda/netlink 1.0, vishvananda/netns
a702fa1 
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby/moby#28689 Embedded DNS is case-sensitive
  - addresses moby/moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 344b093258fcb2195fa393081e5224a6c766c798
Component: engine
@thaJeztah thaJeztah mentioned this issue Aug 22, 2019
Merged
thaJeztah added a commit to thaJeztah/docker that referenced this issue Sep 16, 2019
@thaJeztah
bump libnetwork. vishvananda/netlink 1.0, vishvananda/netns
f3e1aff 
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby#28689 Embedded DNS is case-sensitive
  - addresses moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 344b093)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Sep 17, 2019
@thaJeztah
bump libnetwork. vishvananda/netlink 1.0, vishvananda/netns
de71dcd 
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby/moby#28689 Embedded DNS is case-sensitive
  - addresses moby/moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 344b093258fcb2195fa393081e5224a6c766c798)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: f3e1aff81df959e9178433b77e7f3364c22aee59
Component: engine
burnMyDread pushed a commit to burnMyDread/moby that referenced this issue Oct 21, 2019
@thaJeztah @burnMyDread
bump libnetwork. vishvananda/netlink 1.0, vishvananda/netns
88c296a 
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby#28689 Embedded DNS is case-sensitive
  - addresses moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: zach <[email protected]>
@thaJeztah thaJeztah mentioned this issue Nov 7, 2019
Merged
thaJeztah added a commit to thaJeztah/docker that referenced this issue Nov 7, 2019
@thaJeztah
bump libnetwork 90afbb01e1d8acacb505a092744ea42b9f167377
9cf349d 
full diff: moby/libnetwork@0025177...90afbb0

includes:

- docker/libnetwork#/2459 Fix Error Check in NewNetwork
- docker/libnetwork#/2466 Revert "Merge pull request moby#2339 from phyber/iptables-check"
    - reverts docker/libnetwork#/2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
    - re-opens moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
    - re-opens moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
    - re-opens docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this issue Nov 7, 2019
Merged
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Nov 8, 2019
@thaJeztah
bump libnetwork 90afbb01e1d8acacb505a092744ea42b9f167377
dee2ab2 
full diff: moby/libnetwork@0025177...90afbb0

includes:

- docker/libnetwork#/2459 Fix Error Check in NewNetwork
- docker/libnetwork#/2466 Revert "Merge pull request #2339 from phyber/iptables-check"
    - reverts docker/libnetwork#/2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
    - re-opens moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
    - re-opens moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
    - re-opens docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 9cf349d0f80d2399cdfad0321e0f181c2e7efa17
Component: engine
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bump libnetwork. vishvananda/netlink 1.0, vishvananda/netns thaJeztah/docker
1 participant
@user318