New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failure to create correct firewall rules under Debian 12 ("Bookworm") #46147
Comments
Hi @this-user, Since you're mentioning
If that doesn't work, could you please enable debug log (see https://docs.docker.com/config/daemon/logs/#enable-debugging), restart your daemon once more (the |
I have tried switching the iptables backend. This does solve the issue of Docker producing an error during startup, even if a What's more, Debian 11 has always been using the I have created the log, it is attached below. The key aspect there is the error message regarding the
EDIT: There is also another issue early on where the daemon cannot determine whether iptables supports xlock. This seems to be an issue with the 1.8.9 version of that packages. Maybe this is related, and is what trips up Docker. |
I think I understand most of the issue. It's not the existence of the This error then trips up the startup of the Docker daemon, causing the first issue with being unable to determine the xlock capabilities. This, in turn, seems to change how Docker handles the rest of the FW initialisation, which then causes an error when it tries to create the already existing Below is a log of starting the Docker daemon on Debian 12 with an existing but empty Unfortunately, there seems to be no good way of fixing this, as Debian 12 only supports iptables 1.8.9, and there is no newer upstream version yet. |
I'm confirming hitting the exact same issue.
for the same reason: I have an customized DOCKER-USER chain configured prior to having Docker generate its rules. I'll try to either drop my customised content or insert manually the missing command somewhere:
|
It's a problem with the EDIT: They do have a Bugzilla issue open for this, but unfortunately, this is one of those annoying projects that make it really difficult to reach them. |
To save others from following the link; it's closed as WONTFIX;
|
The linked Bugzilla issue mentions this bug is triggered by mixing both nftables and iptables-nft rules. I believe you need to do some deliberate action to end up mixing both, and given that there're already a bunch of resources warning that anyone trying to do that would end up in troubled waters, I consider there's not much we can do here. We might consider adding a warning into our docs if we find more users are affected by this issue or alike. So let me close this one, but feel free to continue the discussion if you find something interesting or if I said something wrong. |
I've been trying to catch up on fixing something I didn't setup -- so could you please clarify the "expected" way of doing things here? |
The real problem is that Docker does not currently support nftables directly and instead relies on the nftables-iptables compatibility layer on systems that are using nftables when it is managing the firewall rules. This is what necessitates the workaround with the meta mark rule in the first place. Unfortunately, that workaround is now broken when using version 1.8.9 of the iptables packages. The only other option except for using version 1.8.8 would be to disable Docker's handling of FW rules and manage them manually. But the real solution would be for Docker to implement direct support of nftables. Then we would not need the workaround in the first place, and we would not run into this bug. Given that nftables is effectively the designated successor of iptables, it is to be expected that more distributions will make the switch eventually which is a good reason why Docker should be able to work with it. |
More or less, yes. Or rather, you have to choose between To be more precise, Docker is only compatible with
We're aware we need to tackle this issue (see #26824), but we have some important overhauling to go through first as the way iptables rules are managed right now is quite messy. That's an unfortunate situation, but we can't do better right now.
@this-user Can you expand on that? I don't get why this is needed. Looking at https://wiki.debian.org/nftables, I see:
I guess the corollary is |
If you install Docker per its documentation on a system with nftables like the most recent versions of Debian, the containers simply will not be able to create any outgoing connections, because their traffic gets stuck in the nftables Thus, you can either disable Docker's management of FW rules altogether and do it manually, or you can do a workaround like adding one rule to the DOCKER-USER chain to set a mark that identifies Docker traffic, and then add a second rule in the nftables forward chain to accept traffic with that flag. Then it works as expected. In any case, the bottom line is that traffic forwarding from containers does not currently work out of the box if the system is using nftables with anything but an accept policy for its forward chain if Docker is managing the firewall rules. That is arguably something that ought to be fixed on the Docker side. |
Alright, thanks for taking the time to reply.
No problem, I know this is not trivial; the summary is that we are all in a bad spot but it's not really the fault of anyone, just the general entropy of the universe :-) Lastly, I can understand you don't want to keep this ticket lingering around, I'd imagine it could possibly be marked as dup of a more general ticket related to the Docker/Nft upcoming support? something like that. |
I also have the problem that my own nftables rules (/etc/nftables.conf) are not loaded correctly on restart.
My solution is to create my own chain FORWARD-CB.
The flow is as follows: chain FORWARD -> jump DOCKER-USER -> my /etc/nftabes.conf
|
link to the referenced comment UPD:What I did, did not help, or rather, if I create new containers, they do not work, if I restart nftables.service, then everything stops working.
|
tl;drsudo update-alternatives --remove iptables /usr/sbin/iptables-legacy
sudo update-alternatives --remove ip6tables /usr/sbin/ip6tables-legacy
sudo systemctl enable nftables.service #if disabled
sudo shutdown -r now DescriptionOkay, I spent a little more time (a lot of time...). In my case, the problem was an incomprehensible bug, when performing update-alternatives and rebooting the system, in fact, the selected parameter was reset back to iptables-legacy... Therefore, I removed iptables-legacy from the alternatives altogether and everything became normal. Others# cat /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
# your rules
# your rules
# your rules
# cat /etc/debian_version
12.5
# uname -a
Linux xxxxxxxx 6.5.13-3-pve #1 SMP PREEMPT_DYNAMIC PMX 6.5.13-3 (2024-03-20T10:45Z) x86_64 GNU/Linux
# sudo iptables --version
iptables v1.8.9 (nf_tables)
# sudo nft --version
nftables v1.0.6 (Lester Gooch #5)
# docker version
Client: Docker Engine - Community
Version: 26.0.0
API version: 1.45
Go version: go1.21.8
Git commit: 2ae903e
Built: Wed Mar 20 15:18:01 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 26.0.0
API version: 1.45 (minimum version 1.24)
Go version: go1.21.8
Git commit: 8b79278
Built: Wed Mar 20 15:18:01 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.28
GitCommit: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
# sudo update-alternatives --list iptables
/usr/sbin/iptables-nft |
Description
Docker does create the
DOCKER-USER
chain along with a jump rule at the top of theFORWARD
chain to the aforementioned chain. This does work as expected under Debian 11 and under Debian 12 as long as theDOCKER-USER
chain does not yet exist when Docker is being started.However, if the
DOCKER-USER
chain already does exist, e.g. because it has been manually created, the Docker services produces an error message during startup, indicating that the chain already exists.level=warning msg="Failed to create DOCKER-USER IPV4 chain" error="iptables failed: iptables -t filter -N DOCKER-USER: iptables: Chain already exists.\n (exit status 1)"
More importantly, this leads to the knock-on effect that no jump rule at the top of the
FORWARD
chain is created, leading to a situation where theDOCKER-USER
chain is effectively being ignored.Using the same Docker version and configuration, this issue does not occur under Debian 11 even if the
DOCKER-USER
chain already exists, it only occurs under Debian 12 if the chain exists already.The most likely explanation seems to be different behaviour by at least one of the packages on the OS side to which Docker reacts slightly differently, and does not create the jump rule.
Reproduce
-> jump rule in
FORWARD
chain is missingExpected behavior
Jump rule to
DOCKER-USER
at the top of theFORWARD
chain exists.docker version
Client: Docker Engine - Community Version: 24.0.5 API version: 1.43 Go version: go1.20.6 Git commit: ced0996 Built: Fri Jul 21 20:35:35 2023 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 24.0.5 API version: 1.43 (minimum version 1.12) Go version: go1.20.6 Git commit: a61e2b4 Built: Fri Jul 21 20:35:35 2023 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.22 GitCommit: 8165feabfdfe38c65b599c4993d227328c231fca runc: Version: 1.1.8 GitCommit: v1.1.8-0-g82f18fe docker-init: Version: 0.19.0 GitCommit: de40ad0
docker info
Additional Info
Debian 12 versions:
Debian 11 versions:
The text was updated successfully, but these errors were encountered: