On Sunday, 17 May 2020 12:26:02 BST Victor Ivanov wrote: > Andrew makes a good point that, of course, not all options will be > relevant to a particular image or use case. The script is aimed to check > for "full" compatibility. Having some reported as missing is by no means > a deal breaker. > > Re nftables it's a very valid point as well. I too use nftables instead > of iptables and, in general, anything that dares touch my rules I will > either disable the option for it to do so or, if that's not possible, > swiftly eradicate it off my system with vengeance. I'm not a big fan of > how Docker manages netfilter rules so I too tend to disable that from > the config and, as Andrew said, it has been slow at adopting nftables. > It seems Docker is being developed with primary consideration for stable > (read archaic) distributions that have long release cycles.
Ah. I scent Debian. > If you use nftables at all - even via other software such as firewalld, > etc - Docker may or may not like that. Previously, though admitedly > quite a while ago, Docker just loved adding iptables rules in addition > to my nftables rules. Needless to say, that quickly became a mess. I've been using shorewall for many years. > nftables is _a lot_ easier to manage, even writing rules manually feels > a lot more intuitive. So I think the learning curve (at least in terms > of syntax) tends to be less steep IMO if you decide to go down that road > at some point. > > Anyway, this probably wasn't a post of high contribution value haha All grist to the mill - thanks. -- Regards, Peter.
