Skip to content

iptables: Drop explicit RETURN rule from DOCKER-USER #50098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 29, 2025
Merged

iptables: Drop explicit RETURN rule from DOCKER-USER #50098

merged 1 commit into from
May 29, 2025

Conversation

robmry
Copy link
Contributor

@robmry robmry commented May 28, 2025
edited by vvoland
Loading

- What I did

Stop adding an explicit RETURN rule to the DOCKER-USER chain - it'll return anyway, and having the rule means users can't append rules to the chain (only insert) without some juggling.

Note that this doesn't remove the rule. (So, it'll persist on upgrade but not over reboot.)

- How I did it

- How to verify it

- Human readable description for the release notes

When creating the iptables `DOCKER-USER` chain, do not add an explicit `RETURN` rule, allowing users to append as well as insert their own rules. Existing rules are not removed on upgrade, but it won't be replaced after a reboot.

@robmry
iptables: Drop explicit RETURN rule from DOCKER-USER
dc519a0 
Signed-off-by: Rob Murray <rob.murray@docker.com>
@robmry robmry self-assigned this May 28, 2025
@robmry robmry added this to the 29.0.0 milestone May 28, 2025
@robmry robmry added kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. area/networking Networking area/networking/firewalling Networking impact/changelog labels May 28, 2025
@robmry robmry marked this pull request as ready for review May 28, 2025 13:32
thaJeztah
thaJeztah approved these changes May 28, 2025
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

@robmry robmry modified the milestones: 29.0.0, 28.2.1 May 28, 2025
@thaJeztah thaJeztah modified the milestones: 28.2.1, 28.2.2 May 29, 2025
@robmry robmry merged commit b43afbf into moby:master May 29, 2025
168 of 172 checks passed
@robmry robmry deleted the remove_docker-user_return_rule branch May 29, 2025 18:46
@vin01
Copy link

vin01 commented Jun 4, 2025

the description seems misleading .. same in release notes

When creating the iptables DOCKER-USER chain, do not add an explicit RETURN rule, allowing users to append as well as insert their own rules. Existing rules are not removed on upgrade, but it won't be replaced after a reboot.

instead of but it will be replaced after a reboot.

@robmry
Copy link
Contributor Author

robmry commented Jun 4, 2025

Hi @vin01 - I think the text is ok.

Upgraded versions of docker won't delete an existing RETURN rule from the DOCKER-USER chain, but they won't add one either. So, after upgrade, the rule will still be there. But, on reboot, all of the rules are deleted. When the new daemon starts, it won't create the RETURN rule.

Does that make sense?

@vin01
Copy link

vin01 commented Jun 4, 2025
edited
Loading

Thanks for the quick response. It does make sense granted that one knows that after a reboot the rules are created afresh, for me replaced was what made me wonder if this behavior has been changed so I had to take a closer look, re-created might have been slightly more explicit.

I am looking at it in context of #50129 which does not seem like an iptables issue now but something else internally in swarm networking.

@robmry
Copy link
Contributor Author

robmry commented Jun 4, 2025

Ah, right - makes sense, thank you. Hopefully this discussion will clarify things for anyone else who comes looking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmcgowan dmcgowan dmcgowan approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@corhere corhere Awaiting requested review from corhere

@vvoland vvoland Awaiting requested review from vvoland

Assignees

@robmry robmry

Labels
area/networking/firewalling Networking area/networking Networking impact/changelog kind/enhancement Enhancements are not bugs or new features but can improve usability or performance.
Projects
None yet
Milestone
28.2.2
Development

Successfully merging this pull request may close these issues.

DOCKER-USER is modified upon network creation
4 participants
@robmry @vin01 @dmcgowan @thaJeztah