Package: docker.io Version: 18.09.1+dfsg1-5+b10 Followup-For: Bug #921600 Bugs like these are very very disappointing. Our users are going to be left out scratching heads and pulling hairs.
I'm not sure who to vent out the frustration on. docker has its own iptables setup, the legacy one. So, for docker, they'd simply recommend to stick to it. iptables, by itself, has switched to the new nftables. And thus has Debian. And thus has users like us, who migrated to the new setup. So, here the recommendation would be to stick with nftables. Mix and match of legacy and current nft tables are highly discouraged in the kernel. I think the best bare minimal recommended solution is to have an external interface (without the Docker networking bling) and tell docker just to use it as its path. In my case, my custom bridge (sysbr0), is the interface to which everyone has to talk to: VBox, Libvirt, nspawn and now docker. That way I can consolidate policies, fixes and what not at just a single location. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_USER, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages docker.io depends on: ii adduser 3.118 ii iptables 1.8.2-4 ii libc6 2.28-8 ii libdevmapper1.02.1 2:1.02.155-2 ii libltdl7 2.4.6-9 ii libnspr4 2:4.20-1 ii libnss3 2:3.42.1-1 ii libseccomp2 2.3.3-4 ii libsystemd0 241-3 ii lsb-base 10.2019031300 ii runc 1.0.0~rc6+dfsg1-3 ii tini 0.18.0-1 Versions of packages docker.io recommends: ii ca-certificates 20190110 ii cgroupfs-mount 1.4 ii git 1:2.20.1-2 ii needrestart 3.4-1 ii xz-utils 5.2.4-1 Versions of packages docker.io suggests: pn aufs-tools <none> ii btrfs-progs 4.20.1-2 ii debootstrap 1.0.114 ii docker-doc 18.09.1+dfsg1-5 ii e2fsprogs 1.44.5-1 pn rinse <none> ii xfsprogs 4.20.0-1 pn zfs-fuse | zfsutils <none> -- no debconf information