If your firewall starts behaving strangely after installing #docker on #opensuse #slowroll, the reason is that firewalld has switched to nft, but docker still uses iptables.

ptesarik@infosec.exchange

If your firewall starts behaving strangely after installing #docker on #opensuse #slowroll, the reason is that firewalld has switched to nft, but docker still uses iptables. You may have to install iptables (the CLI tool) to fix the damage.

ffmancera@mastodon.social

@ptesarik Shouldn't docker be using iptables-nft by default on openSUSE?

Or am I missing something?

ptesarik@infosec.exchange

@ffmancera No idea. All I know is that packets were no longer forwarded through my default (NAT) libvirt network, and it took me way too long to find out that docker installation/startup did the equivalent of iptables -P FORWARD DROP. It was not visible anywhere in the output of nft list ruleset.

ffmancera@mastodon.social

@ptesarik oh that is too bad

oleksandr@activitypub.natalenko.name

@ptesarik Too bad docker is still used.

liskin@genserver.social

@ptesarik also I've heard that in this setup docker container ports might be exposed to the internet despite whatever firewalld config because the two interact a bit weird

better double check, or — I'd recommend this — switch to rootless docker/podman which doesn't touch iptables at all

ptesarik@infosec.exchange

@oleksandr Please, yes, go fix cobbler to use a better tool for make test-debian12:
https://github.com/cobbler/cobbler

CIRCLE WITH A DOT

If your firewall starts behaving strangely after installing #docker on #opensuse #slowroll, the reason is that firewalld has switched to nft, but docker still uses iptables.