nftables bridge meta support missing

gh0st42 commented 2 years ago

[x] I have tried with the latest version of Docker Desktop
[x] I have tried disabling enabled experimental features

Expected behavior

Setting up bridges in a docker container, e.g., for network emulation software like coreemu. Having a nftables config like the following in /tmp/rules.nftables:

add table bridge b.1.1
add chain bridge b.1.1 forward {type filter hook forward priority -1; policy drop;}
add rule bridge b.1.1 forward ibriport != b.1.1 accept

it should be loadable with nft -t /tmp/rules.nftables

Actual behavior

When executed, the first two rules work flawlessly, but the third one fails:

/tmp/rules.nftables:3:1-55: Error: Could not process rule: Operation not supported
add rule bridge b.1.1 forward ibriport != b.1.1 accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Information

When working with bridges in a docker container, it is not possible to write proper rules using nftables as the Docker VM linux system has support for CONFIG_NFT_BRIDGE_REJECT but lacks support for CONFIG_NFT_BRIDGE_META in the kernel (according to /proc/config.gz). In the past, this was usually not such a big deal as many systems used the now deprecated ebtables kernel modules which worked in Docker Desktop.

This affects Docker Desktop for macOS (4.10.1 (82475)) on intel and m1, but probably other Docker Desktop installations as well.

Steps to reproduce the behavior

Dockerfile:

ARG ARCH=
FROM ${ARCH}ubuntu:20.04
LABEL Description="NFTABLES Docker Image"

# define variables
ARG DEBIAN_FRONTEND=noninteractive

# install system dependencies
RUN apt-get update && \
  apt-get install -y --no-install-recommends \
  bash \
  nftables \
  && apt-get clean

RUN echo "add table bridge b.1.1\n\
add chain bridge b.1.1 forward {type filter hook forward priority -1; policy drop;}\n\
add rule bridge b.1.1 forward ibriport != b.1.1 accept\n" > /rules.nftables

CMD ["nft", "-f", "/rules.nftables"]

Build it docker build -t testcase .
Execute it docker run -it --rm --privileged testcase

Output:

/rules.nftables:3:1-55: Error: Could not process rule: Operation not supported
add rule bridge b.1.1 forward ibriport != b.1.1 accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

peleicht commented 2 years ago

I'm getting a similar error with Docker Desktop for Windows:

/rules.nftables:2:1-84: Error: Could not process rule: Operation not supported
add chain bridge b.1.1 forward {type filter hook forward priority -1; policy drop;}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/rules.nftables:3:1-55: Error: Could not process rule: No such file or directory
add rule bridge b.1.1 forward ibriport != b.1.1 accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

docker-robott commented 1 year ago

Issues go stale after 90 days of inactivity. Mark the issue as fresh with /remove-lifecycle stale comment. Stale issues will be closed after an additional 30 days of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale

gh0st42 commented 1 year ago

/remove-lifecycle stale

docker-robott commented 1 year ago

There hasn't been any activity on this issue for a long time. If the problem is still relevant, mark the issue as fresh with a /remove-lifecycle stale comment. If not, this issue will be closed in 30 days.

Prevent issues from auto-closing with a /lifecycle frozen comment.

/lifecycle stale

gh0st42 commented 1 year ago

/lifecycle frozen

teschmitt commented 1 year ago

I can confirm this issue on a Mac M1 running Mac OS 13.1:

❯ docker run -it --rm --privileged testcase
/rules.nftables:3:1-55: Error: Could not process rule: Operation not supported
add rule bridge b.1.1 forward ibriport != b.1.1 accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

docker / for-mac