diff --git a/api/swagger.yaml b/api/swagger.yaml
index 79bb657556..bc4f669a7d 100644
--- a/api/swagger.yaml
+++ b/api/swagger.yaml
@@ -5546,13 +5546,28 @@ definitions:
type: "boolean"
example: true
BridgeNfIptables:
- description: "Indicates if `bridge-nf-call-iptables` is available on the host."
+ description: |
+ Indicates if `bridge-nf-call-iptables` is available on the host when
+ the daemon was started.
+
+
+
+ > **Deprecated**: netfilter module is now loaded on-demand and no longer
+ > during daemon startup, making this field obsolete. This field is always
+ > `false` and will be removed in a API v1.49.
type: "boolean"
- example: true
+ example: false
BridgeNfIp6tables:
- description: "Indicates if `bridge-nf-call-ip6tables` is available on the host."
+ description: |
+ Indicates if `bridge-nf-call-ip6tables` is available on the host.
+
+
+
+ > **Deprecated**: netfilter module is now loaded on-demand, and no longer
+ > during daemon startup, making this field obsolete. This field is always
+ > `false` and will be removed in a API v1.49.
type: "boolean"
- example: true
+ example: false
Debug:
description: |
Indicates if the daemon is running in debug-mode / with debug-level
diff --git a/api/types/system/info.go b/api/types/system/info.go
index 4704edfba7..8a2444da28 100644
--- a/api/types/system/info.go
+++ b/api/types/system/info.go
@@ -29,8 +29,8 @@ type Info struct {
CPUSet bool
PidsLimit bool
IPv4Forwarding bool
- BridgeNfIptables bool
- BridgeNfIP6tables bool `json:"BridgeNfIp6tables"`
+ BridgeNfIptables bool `json:"BridgeNfIptables"` // Deprecated: netfilter module is now loaded on-demand and no longer during daemon startup, making this field obsolete. This field is always false and will be removed in the next release.
+ BridgeNfIP6tables bool `json:"BridgeNfIp6tables"` // Deprecated: netfilter module is now loaded on-demand and no longer during daemon startup, making this field obsolete. This field is always false and will be removed in the next release.
Debug bool
NFd int
OomKillDisable bool
diff --git a/daemon/info.go b/daemon/info.go
index 49e2b17d26..1c852a30fa 100644
--- a/daemon/info.go
+++ b/daemon/info.go
@@ -53,8 +53,6 @@ func (daemon *Daemon) SystemInfo(ctx context.Context) (*system.Info, error) {
ID: daemon.id,
Images: daemon.imageService.CountImages(ctx),
IPv4Forwarding: !sysInfo.IPv4ForwardingDisabled,
- BridgeNfIptables: !sysInfo.BridgeNFCallIPTablesDisabled,
- BridgeNfIP6tables: !sysInfo.BridgeNFCallIP6TablesDisabled,
Name: hostName(ctx),
SystemTime: time.Now().Format(time.RFC3339Nano),
LoggingDriver: daemon.defaultLogConfig.Type,
diff --git a/docs/api/v1.47.yaml b/docs/api/v1.47.yaml
index 5fc4121363..b716d80efc 100644
--- a/docs/api/v1.47.yaml
+++ b/docs/api/v1.47.yaml
@@ -5512,7 +5512,11 @@ definitions:
type: "boolean"
example: true
BridgeNfIptables:
- description: "Indicates if `bridge-nf-call-iptables` is available on the host."
+ description: |
+ Indicates if `bridge-nf-call-iptables` is available on the host when
+ the daemon was started.
+
+ The `br_netfilter`
type: "boolean"
example: true
BridgeNfIp6tables:
diff --git a/docs/api/version-history.md b/docs/api/version-history.md
index 43061be427..6d45c7a1e6 100644
--- a/docs/api/version-history.md
+++ b/docs/api/version-history.md
@@ -22,6 +22,10 @@ keywords: "API, Docker, rcli, REST, documentation"
and `AllowNondistributableArtifactsHostnames` fields in the `RegistryConfig`
struct in the `GET /info` response will now always be `null` and will be
omitted in API v1.49.
+* Deprecated: The `BridgeNfIptables` and `BridgeNfIp6tables` fields in the
+ `GET /info` response are now always be `false` and will be omitted in API
+ v1.49. The netfilter module is now loaded on-demand, and no longer during
+ daemon startup, making these fields obsolete.
* `GET /images/{name}/history` now supports a `platform` parameter (JSON
encoded OCI Platform type) that allows to specify a platform to show the
history of.
diff --git a/integration-cli/requirements_unix_test.go b/integration-cli/requirements_unix_test.go
index bdf3d0d693..27eadaeeb7 100644
--- a/integration-cli/requirements_unix_test.go
+++ b/integration-cli/requirements_unix_test.go
@@ -64,7 +64,8 @@ func seccompEnabled() bool {
}
func bridgeNfIptables() bool {
- return !sysInfo.BridgeNFCallIPTablesDisabled
+ content, err := os.ReadFile("/proc/sys/net/bridge/bridge-nf-call-iptables")
+ return err == nil && strings.TrimSpace(string(content)) == "1"
}
func unprivilegedUsernsClone() bool {
diff --git a/pkg/sysinfo/sysinfo.go b/pkg/sysinfo/sysinfo.go
index c41dbcb40c..066ddc8165 100644
--- a/pkg/sysinfo/sysinfo.go
+++ b/pkg/sysinfo/sysinfo.go
@@ -27,9 +27,13 @@ type SysInfo struct {
IPv4ForwardingDisabled bool
// Whether bridge-nf-call-iptables is supported or not
+ //
+ // Deprecated: netfilter module is now loaded on-demand and no longer during daemon startup, making this field obsolete. This field is always false and will be removed in the next release.
BridgeNFCallIPTablesDisabled bool
// Whether bridge-nf-call-ip6tables is supported or not
+ //
+ // Deprecated: netfilter module is now loaded on-demand and no longer during daemon startup, making this field obsolete. This field is always false and will be removed in the next release.
BridgeNFCallIP6TablesDisabled bool
// Whether the cgroup has the mountpoint of "devices" or not
diff --git a/pkg/sysinfo/sysinfo_linux.go b/pkg/sysinfo/sysinfo_linux.go
index 59bf0d278a..554586b820 100644
--- a/pkg/sysinfo/sysinfo_linux.go
+++ b/pkg/sysinfo/sysinfo_linux.go
@@ -267,8 +267,6 @@ func applyDevicesCgroupInfo(info *SysInfo) {
// applyNetworkingInfo adds networking information to the info.
func applyNetworkingInfo(info *SysInfo) {
info.IPv4ForwardingDisabled = !readProcBool("/proc/sys/net/ipv4/ip_forward")
- info.BridgeNFCallIPTablesDisabled = !readProcBool("/proc/sys/net/bridge/bridge-nf-call-iptables")
- info.BridgeNFCallIP6TablesDisabled = !readProcBool("/proc/sys/net/bridge/bridge-nf-call-ip6tables")
}
// applyAppArmorInfo adds whether AppArmor is enabled to the info.