Merge pull request moby#50049 from robmry/nftables_env_var_enable

vvoland · web-flow · commit 0e2cc22d36ae · 2025-05-28T12:58:21.000Z
nftables: enable using env var
diff --git a/hack/make/.integration-test-helpers b/hack/make/.integration-test-helpers
@@ -201,6 +201,7 @@ test_env() {
 			DOCKER_REMAP_ROOT="$DOCKER_REMAP_ROOT" \
 			DOCKER_REMOTE_DAEMON="$DOCKER_REMOTE_DAEMON" \
 			DOCKER_ROOTLESS="$DOCKER_ROOTLESS" \
+			DOCKER_FIREWALL_BACKEND="$DOCKER_FIREWALL_BACKEND" \
 			GITHUB_ACTIONS="$GITHUB_ACTIONS" \
 			GO111MODULE="$GO111MODULE" \
 			GOCACHE="$GOCACHE" \
diff --git a/libnetwork/controller.go b/libnetwork/controller.go
@@ -168,6 +168,7 @@ func New(ctx context.Context, cfgOptions ...config.Option) (_ *Controller, retEr
 		diagnosticServer: diagnostic.New(),
 	}
 
+	c.selectFirewallBackend()
 	c.drvRegistry.Notify = c
 
 	// External plugins don't need config passed through daemon. They can
diff --git a/libnetwork/controller_linux.go b/libnetwork/controller_linux.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/containerd/log"
 	"github.com/docker/docker/api/types/system"
+	"github.com/docker/docker/libnetwork/internal/nftables"
 	"github.com/docker/docker/libnetwork/iptables"
 	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/libnetwork/options"
@@ -16,6 +17,9 @@ import (
 
 // FirewallBackend returns the name of the firewall backend for "docker info".
 func (c *Controller) FirewallBackend() *system.FirewallInfo {
+	if nftables.Enabled() {
+		return &system.FirewallInfo{Driver: "nftables"}
+	}
 	usingFirewalld, err := iptables.UsingFirewalld()
 	if err != nil {
 		return nil
diff --git a/libnetwork/drivers/bridge/bridge_linux.go b/libnetwork/drivers/bridge/bridge_linux.go
@@ -519,7 +519,6 @@ func (d *driver) configure(option map[string]interface{}) error {
 	if err != nil {
 		return err
 	}
-	iptables.OnReloaded(d.handleFirewalldReload)
 
 	var pdc portDriverClient
 	if config.Rootless {
@@ -535,6 +534,12 @@ func (d *driver) configure(option map[string]interface{}) error {
 	d.config = config
 	d.Unlock()
 
+	// Register for an event when firewalld is reloaded, but take the config lock so
+	// that events won't be processed until the initial load from Store is complete.
+	d.configNetwork.Lock()
+	defer d.configNetwork.Unlock()
+	iptables.OnReloaded(d.handleFirewalldReload)
+
 	return d.initStore()
 }
 
diff --git a/libnetwork/firewall_linux.go b/libnetwork/firewall_linux.go
@@ -4,13 +4,23 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"os"
 
 	"github.com/containerd/log"
+	"github.com/docker/docker/libnetwork/internal/nftables"
 	"github.com/docker/docker/libnetwork/iptables"
 )
 
 const userChain = "DOCKER-USER"
 
+func (c *Controller) selectFirewallBackend() {
+	// Only try to use nftables if explicitly enabled by env-var.
+	// TODO(robmry) - command line options?
+	if os.Getenv("DOCKER_FIREWALL_BACKEND") == "nftables" {
+		_ = nftables.Enable()
+	}
+}
+
 // Sets up the DOCKER-USER chain for each iptables version (IPv4, IPv6) that's
 // enabled in the controller's configuration.
 func (c *Controller) setupUserChains() {
diff --git a/libnetwork/firewall_others.go b/libnetwork/firewall_others.go
@@ -2,4 +2,6 @@
 
 package libnetwork
 
+func (c *Controller) selectFirewallBackend() {}
+
 func (c *Controller) setupUserChains() {}
diff --git a/testutil/daemon/daemon.go b/testutil/daemon/daemon.go
@@ -234,6 +234,10 @@ func New(t testing.TB, ops ...Option) *Daemon {
 	}
 	ops = append(ops, WithOOMScoreAdjust(-500))
 
+	if val, ok := os.LookupEnv("DOCKER_FIREWALL_BACKEND"); ok {
+		ops = append(ops, WithEnvVars("DOCKER_FIREWALL_BACKEND="+val))
+	}
+
 	d, err := NewDaemon(dest, ops...)
 	assert.NilError(t, err, "could not create daemon at %q", dest)
 	if d.rootlessUser != nil && d.dockerdBinary != defaultDockerdBinary {

Original file line number	Diff line number	Diff line change
`@@ -168,6 +168,7 @@ func New(ctx context.Context, cfgOptions ...config.Option) (_ *Controller, retEr`
`168`	`168`	`diagnosticServer: diagnostic.New(),`
`169`	`169`	`}`
`170`	`170`
	`171`	`+ c.selectFirewallBackend()`
`171`	`172`	`c.drvRegistry.Notify = c`
`172`	`173`
`173`	`174`	`// External plugins don't need config passed through daemon. They can`