networking documentation changes for engine v29 #23362
Open
+864
−474
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
github-actions
bot
added
area/engine
Signed-off-by: Rob Murray <[email protected]>
Signed-off-by: Rob Murray <[email protected]>
With nftables on the way - refer to "firewall" instead of "iptables" in the top-level description of packet-filtering-firewalls, move out the iptables specifics, and port-publishing (which applies to both iptables and nftables). Signed-off-by: Rob Murray <[email protected]>
Adds engine/network/firewall-nftables.md Signed-off-by: Rob Murray <[email protected]>
Signed-off-by: Rob Murray <[email protected]>
Note that nftables support was added in moby29
Signed-off-by: Rob Murray <[email protected]>
nftables doc: rename moby 29.0.0 -> Docker 29.0.0
thaJeztah
changed the title
robmry
approved these changes
Oct 15, 2025
usha-mandya
reviewed
Oct 15, 2025
There was a problem hiding this comment.
Thanks for the PR @thaJeztah. I've added some minor suggestion. PTAL
| and further chains are added for each bridge network. The moby project | ||
| has some [internal documentation](https://github.com/moby/moby/blob/master/integration/network/bridge/nftablesdoc/index.md) | ||
| describing its nftables, and how they depend on network and container | ||
| configuration. But, the tables and their rules are likely to change between |
There was a problem hiding this comment.
nit
Suggested change
| configuration. But, the tables and their rules are likely to change between | |
| configuration. However,, the tables and their rules are likely to change between |
| configuration. But, the tables and their rules are likely to change between | ||
| Docker Engine releases. | ||
|
|
||
| Do not modify Docker's tables directly as the modifications are likely to |
| `docker`, it creates a forwarding policy called `docker-forwarding` that | ||
| accepts forwarding from `ANY` zone to the `docker` zone. | ||
|
|
||
| As an example, to use nftables to block forwarding between interfaces `eth0` |
There was a problem hiding this comment.
Suggested change
| As an example, to use nftables to block forwarding between interfaces `eth0` | |
| For example, to use nftables to block forwarding between interfaces `eth0` |
|
|
||
| When Docker Engine on Linux starts for the first time, it has a single | ||
| built-in network called the "default bridge" network. When you run a | ||
| container with no `--network` option, it is connected to the default bridge. |
There was a problem hiding this comment.
nit
Suggested change
| container with no `--network` option, it is connected to the default bridge. | |
| container without the `--network` option, it is connected to the default bridge. |
| ``` | ||
|
|
||
| You can combine `-s` or `--src-range` with `-d` or `--dst-range` to control both | ||
| the source and destination. For instance, if the Docker host has addresses |
There was a problem hiding this comment.
Suggested change
| the source and destination. For instance, if the Docker host has addresses | |
| the source and destination. For example, if the Docker host has addresses |
| $ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
| ``` | ||
|
|
||
| For more detailed information about iptables configuration and advanced usage, |
There was a problem hiding this comment.
Suggested change
| For more detailed information about iptables configuration and advanced usage, | |
| For more information about iptables configuration and advanced usage, |
| > Support for nftables introduced in Docker 29.0.0 is experimental, configuration | ||
| > options, behavior and implementation may all change in future releases. | ||
| > The rules for overlay networks have not yet been migrated from iptables. | ||
| > So, nftables cannot be enabled when the daemon has Swarm enabled. |
There was a problem hiding this comment.
Suggested change
| > So, nftables cannot be enabled when the daemon has Swarm enabled. | |
| > Therefore, nftables cannot be enabled when the Docker daemon is running in the Swarm mode. |
| } | ||
| ``` | ||
|
|
||
| For more detailed information about nftables configuration and advanced usage, |
There was a problem hiding this comment.
Suggested change
| For more detailed information about nftables configuration and advanced usage, | |
| For more information about nftables configuration and advanced usage, |
| keywords: network, iptables, firewall | ||
| --- | ||
|
|
||
| By default, for both IPv4 and IPv6, the daemon blocks access to ports that have not |
There was a problem hiding this comment.
Suggested change
| By default, for both IPv4 and IPv6, the daemon blocks access to ports that have not | |
| By default, for both IPv4 and IPv6, the Docker daemon blocks access to ports that have not |
|
Thanks @usha-mandya - I can pick these up ... I'll add another PR to the branch, for the PR to merge. |
Signed-off-by: Rob Murray <[email protected]>
3 tasks
|
moby29 networking - address review comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Related issues or tickets
Reviews