networking documentation changes for engine v29#23362
Merged
Merged
Conversation
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
github-actions
Bot
added
area/engine
Signed-off-by: Rob Murray <rob.murray@docker.com>
Signed-off-by: Rob Murray <rob.murray@docker.com>
With nftables on the way - refer to "firewall" instead of "iptables" in the top-level description of packet-filtering-firewalls, move out the iptables specifics, and port-publishing (which applies to both iptables and nftables). Signed-off-by: Rob Murray <rob.murray@docker.com>
Adds engine/network/firewall-nftables.md Signed-off-by: Rob Murray <rob.murray@docker.com>
Signed-off-by: Rob Murray <rob.murray@docker.com>
Note that nftables support was added in moby29
Signed-off-by: Rob Murray <rob.murray@docker.com>
nftables doc: rename moby 29.0.0 -> Docker 29.0.0
thaJeztah
changed the title
robmry
approved these changes
Oct 15, 2025
usha-mandya
reviewed
Oct 15, 2025
Member
usha-mandya
left a comment
usha-mandya
left a comment
There was a problem hiding this comment.
Thanks for the PR @thaJeztah. I've added some minor suggestion. PTAL
| and further chains are added for each bridge network. The moby project | ||
| has some [internal documentation](https://github.com/moby/moby/blob/master/integration/network/bridge/nftablesdoc/index.md) | ||
| describing its nftables, and how they depend on network and container | ||
| configuration. But, the tables and their rules are likely to change between |
Member
There was a problem hiding this comment.
nit
Suggested change
| configuration. But, the tables and their rules are likely to change between | |
| configuration. However,, the tables and their rules are likely to change between |
| configuration. But, the tables and their rules are likely to change between | ||
| Docker Engine releases. | ||
|
|
||
| Do not modify Docker's tables directly as the modifications are likely to |
| `docker`, it creates a forwarding policy called `docker-forwarding` that | ||
| accepts forwarding from `ANY` zone to the `docker` zone. | ||
|
|
||
| As an example, to use nftables to block forwarding between interfaces `eth0` |
Member
There was a problem hiding this comment.
Suggested change
| As an example, to use nftables to block forwarding between interfaces `eth0` | |
| For example, to use nftables to block forwarding between interfaces `eth0` |
|
|
||
| When Docker Engine on Linux starts for the first time, it has a single | ||
| built-in network called the "default bridge" network. When you run a | ||
| container with no `--network` option, it is connected to the default bridge. |
Member
There was a problem hiding this comment.
nit
Suggested change
| container with no `--network` option, it is connected to the default bridge. | |
| container without the `--network` option, it is connected to the default bridge. |
| ``` | ||
|
|
||
| You can combine `-s` or `--src-range` with `-d` or `--dst-range` to control both | ||
| the source and destination. For instance, if the Docker host has addresses |
Member
There was a problem hiding this comment.
Suggested change
| the source and destination. For instance, if the Docker host has addresses | |
| the source and destination. For example, if the Docker host has addresses |
| $ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
| ``` | ||
|
|
||
| For more detailed information about iptables configuration and advanced usage, |
Member
There was a problem hiding this comment.
Suggested change
| For more detailed information about iptables configuration and advanced usage, | |
| For more information about iptables configuration and advanced usage, |
| > Support for nftables introduced in Docker 29.0.0 is experimental, configuration | ||
| > options, behavior and implementation may all change in future releases. | ||
| > The rules for overlay networks have not yet been migrated from iptables. | ||
| > So, nftables cannot be enabled when the daemon has Swarm enabled. |
Member
There was a problem hiding this comment.
Suggested change
| > So, nftables cannot be enabled when the daemon has Swarm enabled. | |
| > Therefore, nftables cannot be enabled when the Docker daemon is running in the Swarm mode. |
| } | ||
| ``` | ||
|
|
||
| For more detailed information about nftables configuration and advanced usage, |
Member
There was a problem hiding this comment.
Suggested change
| For more detailed information about nftables configuration and advanced usage, | |
| For more information about nftables configuration and advanced usage, |
| keywords: network, iptables, firewall | ||
| --- | ||
|
|
||
| By default, for both IPv4 and IPv6, the daemon blocks access to ports that have not |
Member
There was a problem hiding this comment.
Suggested change
| By default, for both IPv4 and IPv6, the daemon blocks access to ports that have not | |
| By default, for both IPv4 and IPv6, the Docker daemon blocks access to ports that have not |
Contributor
|
Thanks @usha-mandya - I can pick these up ... I'll add another PR to the branch, for the PR to merge. |
Signed-off-by: Rob Murray <rob.murray@docker.com>
3 tasks
Contributor
|
moby29 networking - address review comments
usha-mandya
approved these changes
Oct 16, 2025
Contributor
|
Should this also change the "nft rules are not supported" installation note added in #19618? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Related issues or tickets
Reviews