Skip to content

Commit 35bd3e4

Browse files
robmryrobmry
committed
moby 29 networking - address review comments
Signed-off-by: Rob Murray <rob.murray@docker.com>
1 parent 3753bba commit 35bd3e4

4 files changed

Lines changed: 16 additions & 12 deletions

File tree

content/manuals/engine/network/_index.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,8 @@ and the concepts around container networking.
3131

3232
When Docker Engine on Linux starts for the first time, it has a single
3333
built-in network called the "default bridge" network. When you run a
34-
container with no `--network` option, it is connected to the default bridge.
34+
container without the `--network` option, it is connected to the default
35+
bridge.
3536

3637
Containers attached to the default bridge have access to network services
3738
outside the Docker host. They use "masquerading" which means, if the

content/manuals/engine/network/firewall-iptables.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,7 @@ $ iptables -I DOCKER-USER -m iprange -i ext_if ! --src-range 192.0.2.1-192.0.2.3
113113
```
114114

115115
You can combine `-s` or `--src-range` with `-d` or `--dst-range` to control both
116-
the source and destination. For instance, if the Docker host has addresses
116+
the source and destination. For example, if the Docker host has addresses
117117
`2001:db8:1111::2` and `2001:db8:2222::2`, you can make rules specific to
118118
`2001:db8:1111::2` and leave `2001:db8:2222::2` open.
119119

@@ -128,5 +128,5 @@ external address ranges.
128128
$ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT
129129
```
130130

131-
For more detailed information about iptables configuration and advanced usage,
131+
For more information about iptables configuration and advanced usage,
132132
refer to the [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html).

content/manuals/engine/network/firewall-nftables.md

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,8 @@ keywords: network, nftables, firewall
1010
> Support for nftables introduced in Docker 29.0.0 is experimental, configuration
1111
> options, behavior and implementation may all change in future releases.
1212
> The rules for overlay networks have not yet been migrated from iptables.
13-
> So, nftables cannot be enabled when the daemon has Swarm enabled.
13+
> Therefore, nftables cannot be enabled when the Docker daemon is running in
14+
> Swarm mode.
1415
1516
To use nftables instead of iptables, use Docker Engine option
1617
`--firewall-backend=nftables` on its command line, or `"firewall-backend": "nftables"`
@@ -37,11 +38,13 @@ Each table contains a number of [base chains](https://wiki.nftables.org/wiki-nft
3738
and further chains are added for each bridge network. The moby project
3839
has some [internal documentation](https://github.com/moby/moby/blob/master/integration/network/bridge/nftablesdoc/index.md)
3940
describing its nftables, and how they depend on network and container
40-
configuration. But, the tables and their rules are likely to change between
41-
Docker Engine releases.
41+
configuration. However, the tables and their rules are likely to change
42+
between Docker Engine releases.
4243

43-
Do not modify Docker's tables directly as the modifications are likely to
44-
be lost, Docker expects to have full ownership of its tables.
44+
> [!NOTE]
45+
>
46+
> Do not modify Docker's tables directly as the modifications are likely to
47+
> be lost, Docker expects to have full ownership of its tables.
4548
4649
> [!NOTE]
4750
>
@@ -119,7 +122,7 @@ unwanted forwarding. Docker's bridges are in a firewalld zone called
119122
`docker`, it creates a forwarding policy called `docker-forwarding` that
120123
accepts forwarding from `ANY` zone to the `docker` zone.
121124

122-
As an example, to use nftables to block forwarding between interfaces `eth0`
125+
For example, to use nftables to block forwarding between interfaces `eth0`
123126
and `eth1`, you could use:
124127

125128
```console
@@ -268,5 +271,5 @@ table ip my-table {
268271
}
269272
```
270273

271-
For more detailed information about nftables configuration and advanced usage,
274+
For more information about nftables configuration and advanced usage,
272275
refer to the [nftables wiki](https://wiki.nftables.org/wiki-nftables/index.php/Main_Page).

content/manuals/engine/network/port-publishing.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,8 @@ description: Accessing container ports
55
keywords: network, iptables, firewall
66
---
77

8-
By default, for both IPv4 and IPv6, the daemon blocks access to ports that have not
9-
been published. Published container ports are mapped to host IP addresses.
8+
By default, for both IPv4 and IPv6, the Docker daemon blocks access to ports that
9+
have not been published. Published container ports are mapped to host IP addresses.
1010
To do this, it uses firewall rules to perform Network Address Translation (NAT),
1111
Port Address Translation (PAT), and masquerading.
1212

0 commit comments

Comments
 (0)