Docker fails to run with port option due to the bundled iptables

i05 · 2019-03-18 11:34:55

As reported at GitHub issues, Docker fails to run on Arch due to an error `unknown option "--dport"` from bundled iptables if we specify port option as like below:

$ docker run --rm -it -p 80:80 alpine
docker: Error response from daemon: driver failed programming external connectivity on endpoint tender_volhard (954d664336eb5ea7b2c7f808889b3033977b45f53f99ba38bbc66bfcf14a61ef):  (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 80 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0: iptables v1.8.2 (legacy): unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
 (exit status 2)).

This seems caused by the legacy interface of iptables. Is there any handy workaround for this unavailability from arch side?
Docker allows us to entirely disable iptables according to https://docs.docker.com/network/iptables/; however, it brings a lot of burdens to us. So it's great if we can safely use non-legacy one without affecting base package libraries, etc.

$ uname -r
4.20.12-arch1-1-ARCH
$ iptables --version
iptables v1.8.2 (legacy)
$ iptables-legacy --version
iptables v1.8.2 (legacy)

Last edited by i05 (2019-03-18 12:02:34)

loqs · 2019-03-18 12:12:53

If you switch to iptables-nft does that resolve the issue? Is there an upstream bug report making the netfilter developers aware of the issue?

i05 · 2019-03-18 12:21:53

As long as I see, iptables-nft also doesn't have the "--dport" option.

$ iptables-nft --help | grep "dport" | wc -l 
0
$ iptables-nft --version
iptables v1.8.2 (nf_tables)

Is there an upstream bug report making the netfilter developers aware of the issue?

I am not sure if they are aware of it at the moment.

loqs · 2019-03-18 12:25:22

See man 8 iptables-extensions.

i05 · 2019-03-18 13:25:20

Creating symlink and reboot (restarting docker daemon wasn't enough) worked for me:

sudo ln -s /usr/bin/iptables-nft /usr/local/bin/iptables
reboot

Thanks, loqs.

loqs · 2019-03-18 15:23:01

ls -la /usr/bin/iptables /usr/bin/iptables-nft
lrwxrwxrwx 1 root root 17 Nov 13 15:11 /usr/bin/iptables -> xtables-nft-multi
lrwxrwxrwx 1 root root 17 Nov 13 15:11 /usr/bin/iptables-nft -> xtables-nft-multi

Arch Linux

#1 2019-03-18 11:34:55

Docker fails to run with port option due to the bundled iptables

#2 2019-03-18 12:12:53

Re: Docker fails to run with port option due to the bundled iptables

#3 2019-03-18 12:21:53

Re: Docker fails to run with port option due to the bundled iptables

#4 2019-03-18 12:25:22

Re: Docker fails to run with port option due to the bundled iptables

#5 2019-03-18 13:25:20

Re: Docker fails to run with port option due to the bundled iptables

#6 2019-03-18 15:23:01

Re: Docker fails to run with port option due to the bundled iptables

Board footer