https://bugs.kde.org/show_bug.cgi?id=521085
Bug ID: 521085
Summary: Hotspot doesn't work when docker is installed, but
this is not made obvious in the UI
Classification: Applications
Product: systemsettings
Version First 6.6.5
Reported In:
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: kcm_networkmanagement
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Target Milestone: ---
DESCRIPTION
Hotspot doesn't work when docker is installed, but this is not made obvious in
the UI
STEPS TO REPRODUCE
1. Have docker installed and create a hotspot
OBSERVED RESULT
This is an extract from my ChatGPT interaction:
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
xt match "addrtype" counter packets 831 bytes 65803 jump DOCKER
}
chain OUTPUT {
type nat hook output priority dstnat; policy accept;
ip daddr != 127.0.0.0/8 xt match "addrtype" counter packets 0
bytes 0 jump DOCKER
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 172.17.0.0/16 oifname != "docker0" counter packets 0
bytes 0 xt target "MASQUERADE"
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
iifname != "docker0" oifname "docker0" counter packets 0 bytes
0 drop
}
chain DOCKER-FORWARD {
counter packets 2915 bytes 700524 jump DOCKER-CT
counter packets 2915 bytes 700524 jump DOCKER-INTERNAL
counter packets 2915 bytes 700524 jump DOCKER-BRIDGE
iifname "docker0" counter packets 0 bytes 0 accept
}
chain DOCKER-BRIDGE {
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
}
chain DOCKER-CT {
oifname "docker0" xt match "conntrack" counter packets 0 bytes
0 accept
}
chain DOCKER-INTERNAL {
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 2915 bytes 700524 jump DOCKER-USER
counter packets 2915 bytes 700524 jump DOCKER-FORWARD
}
chain DOCKER-USER {
}
}
# Warning: table ip6 nat is managed by iptables-nft, do not touch!
table ip6 nat {
chain DOCKER {
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
xt match "addrtype" counter packets 0 bytes 0 jump DOCKER
}
chain OUTPUT {
type nat hook output priority dstnat; policy accept;
ip6 daddr != ::1 xt match "addrtype" counter packets 0 bytes 0
jump DOCKER
}
}
table ip6 filter {
chain DOCKER {
}
chain DOCKER-FORWARD {
counter packets 0 bytes 0 jump DOCKER-CT
counter packets 0 bytes 0 jump DOCKER-INTERNAL
counter packets 0 bytes 0 jump DOCKER-BRIDGE
}
chain DOCKER-BRIDGE {
}
chain DOCKER-CT {
}
chain DOCKER-INTERNAL {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-FORWARD
}
chain DOCKER-USER {
}
}
table ip nm-shared-wlo1 {
chain nat_postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.42.0.0/24 ip daddr != 10.42.0.0/24 masquerade
}
chain filter_forward {
type filter hook forward priority filter; policy accept;
ip daddr 10.42.0.0/24 oifname "wlo1" ct state { established,
related } accept
ip saddr 10.42.0.0/24 iifname "wlo1" accept
iifname "wlo1" oifname "wlo1" accept
iifname "wlo1" reject
oifname "wlo1" reject
}
Your hotspot routing is almost correct. The breakage is here:
```nft
table ip filter {
chain FORWARD {
type filter hook forward priority filter; policy drop;
...
jump DOCKER-FORWARD
}
}
```
Docker installed an IPv4 `FORWARD` base chain with `policy drop`.
NetworkManager also installed correct hotspot rules:
```nft
table ip nm-shared-wlo1 {
ip saddr 10.42.0.0/24 ... masquerade
ip saddr 10.42.0.0/24 iifname "wlo1" accept
}
```
But Docker's `FORWARD policy drop` is killing forwarding. Thus the client gets
DHCP and a default route, but packets do not make it through to `eno2`.
Fix it by allowing hotspot traffic through Docker's `DOCKER-USER` chain:
```bash
sudo iptables -I DOCKER-USER 1 -i wlo1 -o eno2 -j ACCEPT
sudo iptables -I DOCKER-USER 2 -i eno2 -o wlo1 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
```
Then test from the `10.42.0.62` device:
```bash
ping 10.42.0.1
ping 192.168.0.1
ping 1.1.1.1
```
If `1.1.1.1` works but DNS does not:
```bash
ping google.com
```
then it is DNS only.
For persistence, create
`/etc/NetworkManager/dispatcher.d/90-hotspot-docker-forward`:
```bash
#!/bin/sh
IFACE="$1"
STATE="$2"
[ "$IFACE" = "wlo1" ] || exit 0
[ "$STATE" = "up" ] || [ "$STATE" = "connectivity-change" ] || exit 0
iptables -C DOCKER-USER -i wlo1 -o eno2 -j ACCEPT 2>/dev/null ||
iptables -I DOCKER-USER 1 -i wlo1 -o eno2 -j ACCEPT
iptables -C DOCKER-USER -i eno2 -o wlo1 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT 2>/dev/null ||
iptables -I DOCKER-USER 2 -i eno2 -o wlo1 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
```
Then:
```bash
sudo chmod +x /etc/NetworkManager/dispatcher.d/90-hotspot-docker-forward
```
This is the actual issue: hotspot DHCP/NAT exists, IP forwarding is enabled,
Docker’s filter chain blocks forwarded IPv4 packets.
EXPECTED RESULT
It works
SOFTWARE/OS VERSIONS
Operating System: Arch Linux
KDE Plasma Version: 6.6.5
KDE Frameworks Version: 6.26.0
Qt Version: 6.11.1
ADDITIONAL INFORMATION
I did not follow ChatGPT's instructions, I simply fixed it by uninstalling
docker. But it is not about fixing the issue, because ChatGPT debugged my
issue. The real issue is, that there should be a big warning if docker is
installed
--
You are receiving this mail because:
You are watching all bug changes.
