InTheForest/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-01-11 18:51:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #48638 from robmry/iptables-nft

Browse Source 
Use iptables-nft in the dev container / CI
This commit is contained in:
Brian Goff
2025-02-27 12:03:14 -08:00
committed by GitHub
parent ea3bb90773 cfc049c938
commit 7194b508b6
2 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile
View File

@@ -538,6 +538,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
inetutils-ping \
iproute2 \
iptables \
nftables \
jq \
libcap2-bin \
libnet1 \
@@ -558,11 +559,6 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
xz-utils \
zip \
zstd
# Switch to use iptables instead of nftables (to match the CI hosts)
# TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824)
RUN update-alternatives --set iptables /usr/sbin/iptables-legacy || true \
&& update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \
&& update-alternatives --set arptables /usr/sbin/arptables-legacy || true
RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
--mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
apt-get update && apt-get install --no-install-recommends -y \

15
libnetwork/firewall_linux_test.go
View File

@@ -2,6 +2,7 @@ package libnetwork
import (
"fmt"
"strings"
"testing"
"github.com/docker/docker/libnetwork/drivers/bridge"
@@ -14,6 +15,7 @@ import (
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
"gotest.tools/v3/golden"
"gotest.tools/v3/icmd"
)
const (
@@ -25,6 +27,15 @@ func TestUserChain(t *testing.T) {
iptable4 := iptables.GetIptable(iptables.IPv4)
iptable6 := iptables.GetIptable(iptables.IPv6)
res := icmd.RunCommand("iptables", "--version")
assert.NilError(t, res.Error)
noChainErr := "No chain/target/match by that name"
if strings.Contains(res.Combined(), "nf_tables") {
// For a non-existent chain, iptables-nft "-S <chain>" reports:
// ip6tables v1.8.9 (nf_tables): chain `<chain>' in table `filter' is incompatible, use 'nft' tool.
noChainErr = "incompatible, use 'nft' tool"
}
tests := []struct {
iptables bool
append bool // append other rules to FORWARD
@@ -103,9 +114,9 @@ func TestUserChain(t *testing.T) {
fmt.Sprintf("TestUserChain_iptables-%v_append-%v_usrafter6", tc.iptables, tc.append))
} else {
_, err := iptable4.Raw("-S", usrChainName)
assert.Check(t, is.ErrorContains(err, "No chain/target/match by that name"), "ipv4 chain %v: created unexpectedly", usrChainName)
assert.Check(t, is.ErrorContains(err, noChainErr), "ipv4 chain %v: created unexpectedly", usrChainName)
_, err = iptable6.Raw("-S", usrChainName)
assert.Check(t, is.ErrorContains(err, "No chain/target/match by that name"), "ipv6 chain %v: created unexpectedly", usrChainName)
assert.Check(t, is.ErrorContains(err, noChainErr), "ipv6 chain %v: created unexpectedly", usrChainName)
}
})
}