From 35bd3e4e92219821740c9c9953a3e1ed976eec9d Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Wed, 15 Oct 2025 15:04:25 +0100 Subject: [PATCH] moby 29 networking - address review comments Signed-off-by: Rob Murray --- content/manuals/engine/network/_index.md | 3 ++- .../manuals/engine/network/firewall-iptables.md | 4 ++-- .../manuals/engine/network/firewall-nftables.md | 17 ++++++++++------- .../manuals/engine/network/port-publishing.md | 4 ++-- 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/content/manuals/engine/network/_index.md b/content/manuals/engine/network/_index.md index e311f376ae9d..1f24cc14ea0d 100644 --- a/content/manuals/engine/network/_index.md +++ b/content/manuals/engine/network/_index.md @@ -31,7 +31,8 @@ and the concepts around container networking. When Docker Engine on Linux starts for the first time, it has a single built-in network called the "default bridge" network. When you run a -container with no `--network` option, it is connected to the default bridge. +container without the `--network` option, it is connected to the default +bridge. Containers attached to the default bridge have access to network services outside the Docker host. They use "masquerading" which means, if the diff --git a/content/manuals/engine/network/firewall-iptables.md b/content/manuals/engine/network/firewall-iptables.md index b45cc51dadfb..87d63e9cbbd9 100644 --- a/content/manuals/engine/network/firewall-iptables.md +++ b/content/manuals/engine/network/firewall-iptables.md @@ -113,7 +113,7 @@ $ iptables -I DOCKER-USER -m iprange -i ext_if ! --src-range 192.0.2.1-192.0.2.3 ``` You can combine `-s` or `--src-range` with `-d` or `--dst-range` to control both -the source and destination. For instance, if the Docker host has addresses +the source and destination. For example, if the Docker host has addresses `2001:db8:1111::2` and `2001:db8:2222::2`, you can make rules specific to `2001:db8:1111::2` and leave `2001:db8:2222::2` open. @@ -128,5 +128,5 @@ external address ranges. $ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT ``` -For more detailed information about iptables configuration and advanced usage, +For more information about iptables configuration and advanced usage, refer to the [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html). diff --git a/content/manuals/engine/network/firewall-nftables.md b/content/manuals/engine/network/firewall-nftables.md index 1c1a31a2bb64..f868e6c95e75 100644 --- a/content/manuals/engine/network/firewall-nftables.md +++ b/content/manuals/engine/network/firewall-nftables.md @@ -10,7 +10,8 @@ keywords: network, nftables, firewall > Support for nftables introduced in Docker 29.0.0 is experimental, configuration > options, behavior and implementation may all change in future releases. > The rules for overlay networks have not yet been migrated from iptables. -> So, nftables cannot be enabled when the daemon has Swarm enabled. +> Therefore, nftables cannot be enabled when the Docker daemon is running in +> Swarm mode. To use nftables instead of iptables, use Docker Engine option `--firewall-backend=nftables` on its command line, or `"firewall-backend": "nftables"` @@ -37,11 +38,13 @@ Each table contains a number of [base chains](https://wiki.nftables.org/wiki-nft and further chains are added for each bridge network. The moby project has some [internal documentation](https://github.com/moby/moby/blob/master/integration/network/bridge/nftablesdoc/index.md) describing its nftables, and how they depend on network and container -configuration. But, the tables and their rules are likely to change between -Docker Engine releases. +configuration. However, the tables and their rules are likely to change +between Docker Engine releases. -Do not modify Docker's tables directly as the modifications are likely to -be lost, Docker expects to have full ownership of its tables. +> [!NOTE] +> +> Do not modify Docker's tables directly as the modifications are likely to +> be lost, Docker expects to have full ownership of its tables. > [!NOTE] > @@ -119,7 +122,7 @@ unwanted forwarding. Docker's bridges are in a firewalld zone called `docker`, it creates a forwarding policy called `docker-forwarding` that accepts forwarding from `ANY` zone to the `docker` zone. -As an example, to use nftables to block forwarding between interfaces `eth0` +For example, to use nftables to block forwarding between interfaces `eth0` and `eth1`, you could use: ```console @@ -268,5 +271,5 @@ table ip my-table { } ``` -For more detailed information about nftables configuration and advanced usage, +For more information about nftables configuration and advanced usage, refer to the [nftables wiki](https://wiki.nftables.org/wiki-nftables/index.php/Main_Page). diff --git a/content/manuals/engine/network/port-publishing.md b/content/manuals/engine/network/port-publishing.md index 89388843d71e..024f6bdc022a 100644 --- a/content/manuals/engine/network/port-publishing.md +++ b/content/manuals/engine/network/port-publishing.md @@ -5,8 +5,8 @@ description: Accessing container ports keywords: network, iptables, firewall --- -By default, for both IPv4 and IPv6, the daemon blocks access to ports that have not -been published. Published container ports are mapped to host IP addresses. +By default, for both IPv4 and IPv6, the Docker daemon blocks access to ports that +have not been published. Published container ports are mapped to host IP addresses. To do this, it uses firewall rules to perform Network Address Translation (NAT), Port Address Translation (PAT), and masquerading.