nftables: don't enable IP forwarding

For nftables only, never enable IP forwarding on the host. Instead, return an error on network creation if forwarding is not enabled, required by a bridge network, and --ip-forward=true. If IPv4 forwarding is not enabled when the daemon is started with nftables enabled and other config at defaults, the daemon will exit when it tries to create the default bridge. Otherwise, network creation will fail with an error if IPv4/IPv6 forwarding is not enabled when a network is created with IPv4/IPv6. It's the user's responsibility to configure and secure their host when they run Docker with nftables. Signed-off-by: Rob Murray <rob.murray@docker.com>
2026-01-11 18:51:37 +00:00 · 2025-08-05 10:51:35 +01:00
parent 7dfeee8460
commit 67ffa47090
13 changed files with 164 additions and 162 deletions
--- a/integration/networking/bridge_linux_test.go
+++ b/integration/networking/bridge_linux_test.go
@@ -358,7 +358,6 @@ func TestBridgeINCRouted(t *testing.T) {
 	d := daemon.New(t)
 	d.StartWithBusybox(ctx, t)
 	t.Cleanup(func() { d.Stop(t) })
-	firewallBackend := d.FirewallBackendDriver(t)

 	c := d.NewClientT(t)
 	t.Cleanup(func() { c.Close() })
@@ -457,10 +456,12 @@ func TestBridgeINCRouted(t *testing.T) {
 		},
 	}

-	for _, fwdPolicy := range []string{"ACCEPT", "DROP"} {
-		networking.SetFilterForwardPolicies(t, firewallBackend, fwdPolicy)
+	runTests := func(testName, policy string) {
 		networking.FirewalldReload(t, d)
-		t.Run(fwdPolicy, func(t *testing.T) {
+		t.Run(testName, func(t *testing.T) {
+			if policy != "" {
+				networking.SetFilterForwardPolicies(t, policy)
+			}
 			for _, tc := range testcases {
 				t.Run(tc.name+"/v4/ping", func(t *testing.T) {
 					t.Parallel()
@@ -497,6 +498,13 @@ func TestBridgeINCRouted(t *testing.T) {
 			}
 		})
 	}
+
+	if strings.HasPrefix(d.FirewallBackendDriver(t), "iptables") {
+		runTests("iptables-ACCEPT", "ACCEPT")
+		runTests("iptables-DROP", "DROP")
+	} else {
+		runTests("nftables", "")
+	}
 }

 // TestAccessToPublishedPort checks that a container in one network can
--- a/integration/networking/port_mapping_linux_test.go
+++ b/integration/networking/port_mapping_linux_test.go
@@ -648,7 +648,6 @@ func TestDirectRoutingOpenPorts(t *testing.T) {
 	d := daemon.New(t)
 	d.StartWithBusybox(ctx, t)
 	t.Cleanup(func() { d.Stop(t) })
-	firewallBackend := d.FirewallBackendDriver(t)

 	c := d.NewClientT(t)
 	t.Cleanup(func() { c.Close() })
@@ -770,9 +769,11 @@ func TestDirectRoutingOpenPorts(t *testing.T) {
 	// Run the ping and http tests in two parallel groups, rather than waiting for
 	// ping/http timeouts separately. (The iptables filter-FORWARD policy affects the
 	// whole host, so ACCEPT/DROP tests can't be parallelized).
-	for _, fwdPolicy := range []string{"ACCEPT", "DROP"} {
-		networking.SetFilterForwardPolicies(t, firewallBackend, fwdPolicy)
-		t.Run(fwdPolicy, func(t *testing.T) {
+	runTests := func(testName, policy string) {
+		t.Run(testName, func(t *testing.T) {
+			if policy != "" {
+				networking.SetFilterForwardPolicies(t, policy)
+			}
 			for gwMode := range networks {
 				t.Run(gwMode+"/v4/ping", func(t *testing.T) {
 					testPing(t, "ping", networks[gwMode].ipv4, expPingExit[gwMode])
@@ -795,6 +796,13 @@ func TestDirectRoutingOpenPorts(t *testing.T) {
 			}
 		})
 	}
+
+	if strings.HasPrefix(d.FirewallBackendDriver(t), "iptables") {
+		runTests("iptables-ACCEPT", "ACCEPT")
+		runTests("iptables-DROP", "DROP")
+	} else {
+		runTests("nftables", "")
+	}
 }

 func TestAcceptFwMark(t *testing.T) {