No DOCKER-USER chain with ip6tables: true

[RaphMad]

I'm using the setting ip6tables: true option with no problems so far.

The only conceptual difference I found to IPv4 is that no DOCKER-USER chain gets created, which makes it hard to insert custom ip6tables rules at a defined location.

dockerd --version: Docker version 20.10.17, build a89b842

iptables -nvL | grep DOCKER-USER
 417K  335M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain DOCKER-USER (1 references)

ip6tables -nvL | grep DOCKER-USER

Is this chain still planned / slipped through / not planned for IPv6? I could not really find any discussion about it browsing the old merged/closed tickets regarding ip6tables.

[yicding]

This is a blocker to my system. Can someone please provide the fix in the near future? An ETA would be much appreciated.

[cfouche3005]

with the ip6table option, this should be added

[GuidoDr]

at least until now (docker version 20.10.23) it is not yet implemented in the experimental ip6tables feature

[yicding]

Do you know when this will be implemented?

[GuidoDr]

sorry I do not have further information about this topic.
I had only noticed the missing DOCKER-USER rules in the ip6tables myself today and searched for it and found this thread here. Since the version mentioned above was 20.10.17 I only wanted to inform that even in the newest version 20.10.23 this DOCKER-USER is still missing in the experimental ip6tables feature.

[yicding]

Is there a docker development forum where we can post questions like this one?

[cfouche3005]

Added with docker v23

docker version

Client: Docker Engine - Community
 Version:           23.0.0
 API version:       1.42
 Go version:        go1.19.5
 Git commit:        e92dd87
 Built:             Wed Feb  1 17:43:17 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          23.0.0
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.5
  Git commit:       d7573ab
  Built:            Wed Feb  1 17:43:17 2023
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.6.16
  GitCommit:        31aa4358a36870b21a992d3ad2bef29e1d693bec
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

iptables -S | grep DOCKER-USER

-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eth0 -j DROP
-A DOCKER-USER -j RETURN

ip6tables -S | grep DOCKER-USER

-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -j RETURN

[yicding]

Thanks a lot @cfouche3005 to confirm this!

[cfouche3005]

The weird thing it's not precisely said in the changelog (or I didn't find the right change on the changelog)

[GuidoDr]

The weird thing it's not precisely said in the changelog (or I didn't find the right change on the changelog)

it is actually mentioned in the release notes:

Fix a failure to create the DOCKER-USER ip6tables chain. moby/moby#44845

[cfouche3005]

Sorry, I am too dump and blind, thank for mentioning it.

I think this issue can be closed

[GuidoDr]

no you're not blind. I would probably also not have seen it due to the long list of fixes, security and new features.
I just searched for the DOCKER-USER in the release notes. ;-)
And yes, I would also think that it can be closed now. @RaphMad

[preethi-fission]

I am using docker version 24 still I could not see the DOCKER-USER chain in ipv6 tables list

sudo ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination