[docker-in-docker] Use iptables-legacy only if it's working

olivierlemasle · olivierlemasle · commit 8fc69f472e74 · 2025-07-30T11:30:52.000Z
Currently, docker-in-docker configures `iptables` to use `iptables-legacy` if it exists. However, if the `ip_tables` kernel module is not loaded on the host, `iptables-legacy` will not work. With this change, docker-in-docker checks if `iptables-legacy` works before using `update-alternatives`. Fixes #1235
diff --git a/src/docker-in-docker/install.sh b/src/docker-in-docker/install.sh
@@ -218,7 +218,7 @@ if ! type git > /dev/null 2>&1; then
 fi
 
 # Swap to legacy iptables for compatibility
-if type iptables-legacy > /dev/null 2>&1; then
+if type iptables-legacy > /dev/null 2>&1 && iptables-legacy -L > /dev/null 2>&1; then
     update-alternatives --set iptables /usr/sbin/iptables-legacy
     update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
 fi
