doc: Add "Disable the tables" way to "Prevent connectivity issues wit…#2392
doc: Add "Disable the tables" way to "Prevent connectivity issues wit…#2392
Conversation
| nft insert rule ip filter DOCKER-USER iifname k8s-net counter accept | ||
| nft insert rule ip filter DOCKER-USER oifname k8s-net ct state related,established counter accept |
There was a problem hiding this comment.
The example uses incusbr0 so this should be updated to match.
There was a problem hiding this comment.
@stgraber Thanks for your reply. I have updated this pr, please reviewed again.
| nft add table ip6 filter | ||
| nft add table inet incus { flags dormant\; } | ||
| ``` | ||
|
|
There was a problem hiding this comment.
We definitely don't want to put a full nft ruleset dump in our documentation, this will never be kept up to date and will make things more confusing for everyone.
I also would prefer not to have those particular nft commands in there.
They don't just suspend the Docker rules, they suspend everything which would be very dangerous on a production system.
There was a problem hiding this comment.
A better option that may be worth mentioning in here is "ip-forward-no-drop": true in Docker configuration which should also make it stop interfering on the system.
There was a problem hiding this comment.
- I have reviewed nftables project from the scratch, nftables team have gived up iptables, recommend to use
nft.iptables-translatecan help user translate iptables command to nft command. In the big scale,nftis faster thaniptables. flags dormantis table level, can not be chain level. However, in the big scale, docker will modify table level's rulesets."ip-forward-no-drop": trueis only focused onforwardchain, but not others likenat.Incusalso setnatrulesets at its ways by itself. Further, "Prevent connectivity issues with Incus and Docker" have many solutions, so what way user select should be decided by user. after all, those way is user command, not incus command. so You don't need to worry.- many and many fresh people are misdirected to learn
iptables, it is very unfair to them.
This removes the full nft dump from the previous commit as well as the recommendation to mark specific tables as dormant since the tables used by Docker are the same ones commonly used for local rules, marking them dormant would in many cases completely disable firewalling in a non-obvious way and could be quite dangerous. Keep the manual nft example as that's in line with what's already there for xtables. Also expand the list of options to include `ip-forward-no-drop` in the Docker configuration as we've seen that be sufficient in some cases. Signed-off-by: Stéphane Graber <[email protected]>
2 participants
…h Incus and Docker", add
nftcommand to "Allow egress network traffic flows"Closes Why can I not ping and apt update?