DOCKER-USER chain not being used or created #48560
Description
Description
Apparently if the chain already exists when Docker starts, it is not inserted at the top of the FORWARD chain like it normally is. This renders it completely useless, as the whole purpose is to let you add your rules before Docker's, since Docker inserts rules at the top. Otherwise you have to insert them after Docker starts, which you can do anyway without the DOCKER-USER chain.
Reproduce
- Create rules.v4 file
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -i docker0 ! -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i docker0 ! -o docker0 -d 192.168.0.0/16 -j REJECT
-A DOCKER-USER -i docker0 ! -o docker0 -d 10.0.0.0/8 -j REJECT
-A DOCKER-USER -i docker0 ! -o docker0 -d 172.16.0.0/12 -j REJECT
COMMIT
iptables-restore rules.v4- Restart docker so it regenerates its rules
Expected behavior
At the top of FORWARD chain should be -A FORWARD -j DOCKER-USER.
docker version
Client: Docker Engine - Community
Version: 27.3.1
API version: 1.47
Go version: go1.22.7
Git commit: ce12230
Built: Fri Sep 20 11:41:00 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 27.3.1
API version: 1.47 (minimum version 1.24)
Go version: go1.22.7
Git commit: 41ca978
Built: Fri Sep 20 11:41:00 2024
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: 1.7.22
GitCommit: 7f7fdf5fed64eb6a7caf99b3e12efcf9d60e311c
runc:
Version: 1.1.14
GitCommit: v1.1.14-0-g2c9f560
docker-init:
Version: 0.19.0
GitCommit: de40ad0docker info
Client: Docker Engine - Community
Version: 27.3.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.17.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.29.7
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 12
Running: 7
Paused: 0
Stopped: 5
Images: 11
Server Version: 27.3.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7f7fdf5fed64eb6a7caf99b3e12efcf9d60e311c
runc version: v1.1.14-0-g2c9f560
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
userns
cgroupns
Kernel Version: 5.15.0-122-generic
Operating System: Ubuntu 22.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 94.22GiB
Name: server
ID: c81fb854-7df0-4ab6-8d81-8ebf67e9631a
Docker Root Dir: /var/lib/docker/165536.165536
Debug Mode: false
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: true
Default Address Pools:
Base: 172.16.0.0/16, Size: 24
Base: fd3b:c25e:967e:1000::/52, Size: 64
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabledAdditional Info
No response