Skip to content

Commit f312d53

Browse files
ArthurFlagArthurFlag
committed
feedback
1 parent 1786d31 commit f312d53

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

content/manuals/engine/network/firewall-nftables.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ Do not modify Docker's tables directly as the modifications are likely to
4444
be lost, Docker expects to have full ownership of its tables.
4545

4646
> [!NOTE]
47-
>
47+
>
4848
> Because iptables has a fixed set of chains, equivalent to nftables base
4949
> chains, all rules are included in those chains. The `DOCKER-USER` chain
5050
> is supplied as a way to insert rules into the `filter` table's `FORWARD`
@@ -81,7 +81,7 @@ publishing, communication between bridge networks, and direct routing from
8181
outside the host to containers in bridge networks.
8282

8383
When running with iptables, depending on network and daemon configuration,
84-
Docker may enable IPv4 and IPv6 forwarding on the host.
84+
Docker may enable IPv4 and IPv6 forwarding on the host.
8585

8686
With its nftables firewall backend enabled, Docker will not enable IP forwarding
8787
itself. It will report an error if forwarding is needed, but not already enabled.
@@ -90,7 +90,7 @@ when it determines that forwarding is disabled, use Daemon option `--ip-forward=
9090
or `"ip-forward": false` in its configuration file.
9191

9292
> [!WARNING]
93-
>
93+
>
9494
> When enabling IP forwarding, make sure you have firewall rules to block
9595
> unwanted forwarding between non-Docker interfaces.
9696
@@ -103,16 +103,16 @@ or `"ip-forward": false` in its configuration file.
103103
If Docker is in a VM that has a single network interface and no other
104104
software running, there is probably no unwanted forwarding to block.
105105
But, on a physical host with multiple network interfaces, forwarding
106-
between those interfaces should probably be blocked unless the host
107-
is acting as a router.
106+
between those interfaces should probably be blocked with nftables rules
107+
unless the host is acting as a router.
108108

109109
To enable IP forwarding on the host, set the following sysctls:
110110

111111
- `net.ipv4.ip_forward=1`
112112
- `net.ipv6.conf.all.forwarding=1`
113113

114114
If your host uses `systemd`, you may be able to use `systemd-sysctl`. For
115-
example, by editing `/etc/sysctl.d/99-sysctl.conf`.
115+
example, by editing `/etc/sysctl.d/99-sysctl.conf`.
116116

117117
If the host is running `firewalld`, you may be able to use it to block
118118
unwanted forwarding. Docker's bridges are in a firewalld zone called

0 commit comments

Comments
 (0)