From 8fc69f472e741b5f9dd9209d3465d6ba73774597 Mon Sep 17 00:00:00 2001
From: Olivier Lemasle <o.lemasle@gmail.com>
Date: Wed, 30 Jul 2025 11:30:52 +0000
Subject: [PATCH 1/4] [docker-in-docker] Use iptables-legacy only if it's
 working

Currently, docker-in-docker configures `iptables`
to use `iptables-legacy` if it exists.

However, if the `ip_tables` kernel module is not
loaded on the host, `iptables-legacy` will not work.

With this change, docker-in-docker checks if
`iptables-legacy` works before using
`update-alternatives`.

Fixes #1235
---
 src/docker-in-docker/install.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/docker-in-docker/install.sh b/src/docker-in-docker/install.sh
index b43a12918..efde3c14f 100755
--- a/src/docker-in-docker/install.sh
+++ b/src/docker-in-docker/install.sh
@@ -218,7 +218,7 @@ if ! type git > /dev/null 2>&1; then
 fi
 
 # Swap to legacy iptables for compatibility
-if type iptables-legacy > /dev/null 2>&1; then
+if type iptables-legacy > /dev/null 2>&1 && iptables-legacy -L > /dev/null 2>&1; then
     update-alternatives --set iptables /usr/sbin/iptables-legacy
     update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
 fi

From 77b8ec0ceaa02a1feb9aabd3fccd45299d1d9ba9 Mon Sep 17 00:00:00 2001
From: Olivier Lemasle <o.lemasle@gmail.com>
Date: Wed, 6 Aug 2025 19:09:34 +0000
Subject: [PATCH 2/4] Add test, bump version

---
 .../devcontainer-feature.json                 |  2 +-
 .../docker_without_iptables.sh                | 19 +++++++++++++++++++
 test/docker-in-docker/scenarios.json          |  9 +++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100755 test/docker-in-docker/docker_without_iptables.sh

diff --git a/src/docker-in-docker/devcontainer-feature.json b/src/docker-in-docker/devcontainer-feature.json
index e44f2d666..7194ba0e0 100644
--- a/src/docker-in-docker/devcontainer-feature.json
+++ b/src/docker-in-docker/devcontainer-feature.json
@@ -1,6 +1,6 @@
 {
     "id": "docker-in-docker",
-    "version": "2.12.2",
+    "version": "2.12.3",
     "name": "Docker (Docker-in-Docker)",
     "documentationURL": "https://github.com/devcontainers/features/tree/main/src/docker-in-docker",
     "description": "Create child containers *inside* a container, independent from the host's docker instance. Installs Docker extension in the container along with needed CLIs.",
diff --git a/test/docker-in-docker/docker_without_iptables.sh b/test/docker-in-docker/docker_without_iptables.sh
new file mode 100755
index 000000000..81916a28c
--- /dev/null
+++ b/test/docker-in-docker/docker_without_iptables.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+# Optional: Import test library
+source dev-container-features-test-lib
+
+# Feature specific tests
+check "iptables works" sudo iptables -L
+check "iptables uses nf_tables" bash -c "iptables --version | grep nf_tables"
+
+check "version" docker  --version
+check "docker-ps" bash -c "docker ps"
+check "log-exists" bash -c "ls /tmp/dockerd.log"
+check "log-for-completion" bash -c "cat /tmp/dockerd.log | grep 'Daemon has completed initialization'"
+check "log-contents" bash -c "cat /tmp/dockerd.log | grep 'API listen on /var/run/docker.sock'"
+
+# Report result
+reportResults
\ No newline at end of file
diff --git a/test/docker-in-docker/scenarios.json b/test/docker-in-docker/scenarios.json
index 1587bda56..7cbc04808 100644
--- a/test/docker-in-docker/scenarios.json
+++ b/test/docker-in-docker/scenarios.json
@@ -158,6 +158,15 @@
             }
         }
     },
+    "docker_without_iptables": {
+        "image": "mcr.microsoft.com/devcontainers/base:debian",
+        "features": {
+            "docker-in-docker": {
+                "moby": "false"
+            }
+        },
+        "initializeCommand": "sudo modprobe --remove --remove-holders ip_tables"
+    },
     // DO NOT REMOVE: This scenario is used by the docker-in-docker-stress-test workflow
     "docker_with_on_create_command": {
         "image": "mcr.microsoft.com/devcontainers/base:debian",

From ee2ed47c8df807f3279706d5b32564b052cf4255 Mon Sep 17 00:00:00 2001
From: Olivier Lemasle <o.lemasle@gmail.com>
Date: Fri, 8 Aug 2025 00:05:38 +0000
Subject: [PATCH 3/4] Fix unload kernel module ip_tables

---
 test/docker-in-docker/scenarios.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/docker-in-docker/scenarios.json b/test/docker-in-docker/scenarios.json
index 7cbc04808..63690dff5 100644
--- a/test/docker-in-docker/scenarios.json
+++ b/test/docker-in-docker/scenarios.json
@@ -165,7 +165,7 @@
                 "moby": "false"
             }
         },
-        "initializeCommand": "sudo modprobe --remove --remove-holders ip_tables"
+        "initializeCommand": "sudo modprobe --remove --remove-holders --wait 1000 ip_tables"
     },
     // DO NOT REMOVE: This scenario is used by the docker-in-docker-stress-test workflow
     "docker_with_on_create_command": {

From 7b59ca98061460b67d3734c465a7fc826be7d61d Mon Sep 17 00:00:00 2001
From: Olivier Lemasle <o.lemasle@gmail.com>
Date: Fri, 8 Aug 2025 08:04:47 +0000
Subject: [PATCH 4/4] Test with module ip_tables

---
 test/docker-in-docker/docker_with_iptables.sh | 19 +++++++++++++++++++
 test/docker-in-docker/scenarios.json          |  9 +++++++++
 2 files changed, 28 insertions(+)
 create mode 100755 test/docker-in-docker/docker_with_iptables.sh

diff --git a/test/docker-in-docker/docker_with_iptables.sh b/test/docker-in-docker/docker_with_iptables.sh
new file mode 100755
index 000000000..89a9c2ef4
--- /dev/null
+++ b/test/docker-in-docker/docker_with_iptables.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+# Optional: Import test library
+source dev-container-features-test-lib
+
+# Feature specific tests
+check "iptables works" sudo iptables -L
+check "iptables uses legacy" bash -c "iptables --version | grep legacy"
+
+check "version" docker  --version
+check "docker-ps" bash -c "docker ps"
+check "log-exists" bash -c "ls /tmp/dockerd.log"
+check "log-for-completion" bash -c "cat /tmp/dockerd.log | grep 'Daemon has completed initialization'"
+check "log-contents" bash -c "cat /tmp/dockerd.log | grep 'API listen on /var/run/docker.sock'"
+
+# Report result
+reportResults
\ No newline at end of file
diff --git a/test/docker-in-docker/scenarios.json b/test/docker-in-docker/scenarios.json
index 63690dff5..dd6679c46 100644
--- a/test/docker-in-docker/scenarios.json
+++ b/test/docker-in-docker/scenarios.json
@@ -167,6 +167,15 @@
         },
         "initializeCommand": "sudo modprobe --remove --remove-holders --wait 1000 ip_tables"
     },
+    "docker_with_iptables": {
+        "image": "mcr.microsoft.com/devcontainers/base:debian",
+        "features": {
+            "docker-in-docker": {
+                "moby": "false"
+            }
+        },
+        "initializeCommand": "sudo modprobe ip_tables"
+    },
     // DO NOT REMOVE: This scenario is used by the docker-in-docker-stress-test workflow
     "docker_with_on_create_command": {
         "image": "mcr.microsoft.com/devcontainers/base:debian",