#Linux hint - if you’re using #nftables and #Docker you’ve probably noticed they mess with each other. Docker assumes 100% control over -t nat and drops tons of dynamic rules there, so if you manage it yourself, you’ll overwrite them and everything stops working.
The most reliable solution I’ve found so far is to make iptables a link to iptables-legacy, which can be done using update-alternatives on Ubuntu:
update-alternatives --set iptables /usr/sbin/iptables-legacy
Docker will continue using iptables for managing its dynamic rules, while your actual firewall can be continued to be managed using nft, and they will both coexist in the kernel, while being in separate “namespaces”. Both will be executed, but they won’t overwrite each other.
P.S. #FreeBSD with jails does it a bit more elegantly because pf has a feature called anchors - which is essentially a separate rules namespace which can be linked from the main ruleset so that it doesn’t mess with the application-specific ones. Of course this would be also doable with nftables but Docker project doesn’t seem to care.
kravietz 🦇 /
npub1vz…rqdta
2024-10-07 09:30:50
Author Public Key
npub1vz555w0w7pdy3l9skg202lkdnjqll4ct67l25f68x2h84e7u7r4qmrqdtaPublished at
2024-10-07 09:30:50Event JSON
{
"id": "e45095d6a532930120636648fb07f5180b2ce18996edfa3cc85d40ae539ea1b2",
"pubkey": "60a94a39eef05a48fcb0b214f57ecd9c81ffd70bd7beaa274732ae7ae7dcf0ea",
"created_at": 1728293450,
"kind": 1,
"tags": [
[
"t",
"docker"
],
[
"t",
"freebsd"
],
[
"t",
"linux"
],
[
"t",
"nftables"
],
[
"proxy",
"https://agora.echelon.pl/objects/c750b851-8420-49fc-a9ad-5a7e3f59f4e3",
"activitypub"
]
],
"content": "#Linux hint - if you’re using #nftables and #Docker you’ve probably noticed they mess with each other. Docker assumes 100% control over -t nat and drops tons of dynamic rules there, so if you manage it yourself, you’ll overwrite them and everything stops working.\n\nThe most reliable solution I’ve found so far is to make iptables a link to iptables-legacy, which can be done using update-alternatives on Ubuntu: \n\nupdate-alternatives --set iptables /usr/sbin/iptables-legacy\n\n\nDocker will continue using iptables for managing its dynamic rules, while your actual firewall can be continued to be managed using nft, and they will both coexist in the kernel, while being in separate “namespaces”. Both will be executed, but they won’t overwrite each other.\n\nP.S. #FreeBSD with jails does it a bit more elegantly because pf has a feature called anchors - which is essentially a separate rules namespace which can be linked from the main ruleset so that it doesn’t mess with the application-specific ones. Of course this would be also doable with nftables but Docker project doesn’t seem to care.",
"sig": "d01d705aea091eada05ae7efb128b7156f91e2844b032e023519a415d8b3258ff38a5efad8c49d675c1be831b577c3bf129d6094f89b0e9121270f1f34b140cb"
}