rootless: enable IP forwarding

Signed-off-by: Rob Murray <rob.murray@docker.com>
2026-01-11 18:51:37 +00:00 · 2025-08-06 16:12:10 +01:00
parent f802d8a08e
commit f71e86eed5
1 changed files with 7 additions and 0 deletions
--- a/contrib/dockerd-rootless.sh
+++ b/contrib/dockerd-rootless.sh
@@ -199,5 +199,12 @@ else
 		mount_directory /etc/ssl "--rbind"
 	fi

+	# When running with --firewall-backend=nftables, IP forwarding needs to be enabled
+	# because the daemon won't enable it. IP forwarding is harmless in the rootless
+	# netns, there's only a single external interface and only Docker uses the netns.
+	# So, always enable IPv4 and IPv6 forwarding.
+	sysctl -w net.ipv4.ip_forward=1
+	sysctl -w net.ipv6.conf.all.forwarding=1
+
 	exec "$dockerd" "$@"
 fi