On Tue, 13 Nov 2018 20:38:05 +0100 Michael Biebl <bi...@debian.org> wrote:
> firewalld switched its default backend from iptables to nftables
> recently [1]. Unfortunately, this caused issues with libvirt and as
> reported in [2], also docker. I don't use docker myself, so I'm only
> relaying this information.
> The main problem seems to be, that currently there is no integration
> between docker and firewalld. Both manage firewall rules on their own.
> As soon as nftables(firewalld) and iptables(docker) are mixed, the
> result is a broken network setup.
> Please consider forwarding this issue upstream. Best is probably if
> docker upstream get's in touch with firewalld upstream to figure a
> solution.
FTR, they have merged the following commit in libnetwork to add a new
"docker" zone: https://github.com/moby/libnetwork/pull/2548 maybe that
could be backported?
IIRC libvirt did the same thing to solve this issue, but with all the
different bugs opened, it's not completely clear if it will do the same
for docker
