diff --git a/Dockerfile b/Dockerfile index 46ea648cee..f93993f90d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -538,6 +538,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ inetutils-ping \ iproute2 \ iptables \ + nftables \ jq \ libcap2-bin \ libnet1 \ @@ -558,11 +559,6 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ xz-utils \ zip \ zstd -# Switch to use iptables instead of nftables (to match the CI hosts) -# TODO use some kind of runtime auto-detection instead if/when nftables is supported (https://github.com/moby/moby/issues/26824) -RUN update-alternatives --set iptables /usr/sbin/iptables-legacy || true \ - && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \ - && update-alternatives --set arptables /usr/sbin/arptables-legacy || true RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ apt-get update && apt-get install --no-install-recommends -y \ diff --git a/libnetwork/firewall_linux_test.go b/libnetwork/firewall_linux_test.go index 2f6f533a20..23006558d8 100644 --- a/libnetwork/firewall_linux_test.go +++ b/libnetwork/firewall_linux_test.go @@ -2,6 +2,7 @@ package libnetwork import ( "fmt" + "strings" "testing" "github.com/docker/docker/libnetwork/drivers/bridge" @@ -14,6 +15,7 @@ import ( "gotest.tools/v3/assert" is "gotest.tools/v3/assert/cmp" "gotest.tools/v3/golden" + "gotest.tools/v3/icmd" ) const ( @@ -25,6 +27,15 @@ func TestUserChain(t *testing.T) { iptable4 := iptables.GetIptable(iptables.IPv4) iptable6 := iptables.GetIptable(iptables.IPv6) + res := icmd.RunCommand("iptables", "--version") + assert.NilError(t, res.Error) + noChainErr := "No chain/target/match by that name" + if strings.Contains(res.Combined(), "nf_tables") { + // For a non-existent chain, iptables-nft "-S " reports: + // ip6tables v1.8.9 (nf_tables): chain `' in table `filter' is incompatible, use 'nft' tool. + noChainErr = "incompatible, use 'nft' tool" + } + tests := []struct { iptables bool append bool // append other rules to FORWARD @@ -103,9 +114,9 @@ func TestUserChain(t *testing.T) { fmt.Sprintf("TestUserChain_iptables-%v_append-%v_usrafter6", tc.iptables, tc.append)) } else { _, err := iptable4.Raw("-S", usrChainName) - assert.Check(t, is.ErrorContains(err, "No chain/target/match by that name"), "ipv4 chain %v: created unexpectedly", usrChainName) + assert.Check(t, is.ErrorContains(err, noChainErr), "ipv4 chain %v: created unexpectedly", usrChainName) _, err = iptable6.Raw("-S", usrChainName) - assert.Check(t, is.ErrorContains(err, "No chain/target/match by that name"), "ipv6 chain %v: created unexpectedly", usrChainName) + assert.Check(t, is.ErrorContains(err, noChainErr), "ipv6 chain %v: created unexpectedly", usrChainName) } }) }