robmry
diff --git a/‎integration/network/bridge/nftablesdoc/generated/new-daemon.md‎
Lines changed: 167 additions & 0 deletions b/‎integration/network/bridge/nftablesdoc/generated/new-daemon.md‎
Lines changed: 167 additions & 0 deletions
diff --git a/‎integration/network/bridge/nftablesdoc/generated/usernet-internal.md‎
Lines changed: 166 additions & 0 deletions b/‎integration/network/bridge/nftablesdoc/generated/usernet-internal.md‎
Lines changed: 166 additions & 0 deletions
@@ -0,0 +1,167 @@
+## nftables for a new Daemon
+
+When the daemon starts, it creates two tables, `ip docker-bridges` and
+`ip6 docker-bridges` for IPv4 and IPv6 rules respectively. Each table contains
+some base chains and empty verdict maps. Rules for the default bridge network
+are then added.
+
+    table ip docker-bridges {
+    	map filter-forward-in-jumps {
+    		type ifname : verdict
+    		elements = { "docker0" : jump filter-forward-in__docker0 }
+    	}
+    
+    	map filter-forward-out-jumps {
+    		type ifname : verdict
+    		elements = { "docker0" : jump filter-forward-out__docker0 }
+    	}
+    
+    	map nat-postrouting-in-jumps {
+    		type ifname : verdict
+    		elements = { "docker0" : jump nat-postrouting-in__docker0 }
+    	}
+    
+    	map nat-postrouting-out-jumps {
+    		type ifname : verdict
+    		elements = { "docker0" : jump nat-postrouting-out__docker0 }
+    	}
+    
+    	chain filter-FORWARD {
+    		type filter hook forward priority filter; policy accept;
+    		oifname vmap @filter-forward-in-jumps
+    		iifname vmap @filter-forward-out-jumps
+    	}
+    
+    	chain nat-OUTPUT {
+    		type nat hook output priority -100; policy accept;
+    		ip daddr != 127.0.0.0/8 fib daddr type local counter jump nat-prerouting-and-output
+    	}
+    
+    	chain nat-POSTROUTING {
+    		type nat hook postrouting priority srcnat; policy accept;
+    		iifname vmap @nat-postrouting-out-jumps
+    		oifname vmap @nat-postrouting-in-jumps
+    	}
+    
+    	chain nat-PREROUTING {
+    		type nat hook prerouting priority dstnat; policy accept;
+    		fib daddr type local counter jump nat-prerouting-and-output
+    	}
+    
+    	chain nat-prerouting-and-output {
+    	}
+    
+    	chain raw-PREROUTING {
+    		type filter hook prerouting priority raw; policy accept;
+    	}
+    
+    	chain filter-forward-in__docker0 {
+    		ct state established,related counter accept
+    		iifname "docker0" counter accept comment "ICC"
+    		counter drop comment "UNPUBLISHED PORT DROP"
+    	}
+    
+    	chain filter-forward-out__docker0 {
+    		ct state established,related counter accept
+    		counter accept comment "OUTGOING"
+    	}
+    
+    	chain nat-postrouting-in__docker0 {
+    	}
+    
+    	chain nat-postrouting-out__docker0 {
+    		oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade comment "MASQUERADE"
+    	}
+    }
+    
+
+#### filter-FORWARD
+
+Chain `filter-FORWARD` is a base chain, with type `filter` and hook `forward`.
+_So, it's equivalent to the iptables built-in chain `FORWARD` in the `filter`
+table._ It's initialised with two rules that use the output and input
+interface names as keys in verdict maps:
+
+    	chain filter-FORWARD {
+    		type filter hook forward priority filter; policy accept;
+    		oifname vmap @filter-forward-in-jumps
+    		iifname vmap @filter-forward-out-jumps
+    	}
+
+
+The verdict maps will be populated with an element per bridge network, each
+jumping to a chain containing rules for that bridge. (So, for packets that
+aren't going to-or-from a Docker bridge device, no jump rules are found in
+the verdict map, and the packets don't need any further processing by this
+base chain.)
+
+The filter-FORWARD chain's policy shown above is `accept`. However:
+
+   - For IPv4, the policy is `drop` if the sysctl
+     net.ipv4.ip_forward was not set to '1', and the daemon set it itself when
+     an IPv4-enabled bridge network was created.
+   - For IPv6, similar, but for sysctls "/proc/sys/net/ipv6/conf/default/forwarding"
+     and "/proc/sys/net/ipv6/conf/all/forwarding".
+
+#### Per-network filter-FORWARD rules
+
+Chains added for the default bridge network are named after the base chain
+hook they're called from, and the network's bridge.
+
+Packets processed by `filter-forward-in__*` will be delivered to the bridge
+network if accepted. For docker0, the chain is:
+
+    	chain filter-forward-in__docker0 {
+    		ct state established,related counter accept
+    		iifname "docker0" counter accept comment "ICC"
+    		counter drop comment "UNPUBLISHED PORT DROP"
+    	}
+
+
+The rules are:
+- conntrack accept for established flows. _Note that accept only applies to the
+  base chain, accepted packets may be processed by other base chains registered
+  with the same hook._
+- accept packets originating within the network, because inter-container
+  communication (ICC) is enabled.
+- drop any other packets, because no there are no containers in the network
+  with published ports. _This means there is no dependency on the filter-FORWARD
+  chain's default policy. Even if it is ACCEPT, packets will be dropped unless
+  container ports/protocols are published._
+
+Packets processed by `filter-forward-out__*` originate from the bridge network:
+
+    	chain filter-forward-out__docker0 {
+    		ct state established,related counter accept
+    		counter accept comment "OUTGOING"
+    	}
+
+
+The rules in docker0's chain are:
+- conntrack accept for established flows.
+- an accept rule, containers in this network have access to external networks.
+
+#### nat-POSTROUTING
+
+Like the filter-FORWARD chain, nat-POSTROUTING has a jump to per-network chains
+for packets to and from the network.
+
+    	chain nat-POSTROUTING {
+    		type nat hook postrouting priority srcnat; policy accept;
+    		iifname vmap @nat-postrouting-out-jumps
+    		oifname vmap @nat-postrouting-in-jumps
+    	}
+
+
+#### Per-network nat-POSTROUTING rules
+
+In docker0's nat-postrouting chains, there's a single masquerade rule for packets
+leaving the network:
+
+    	chain nat-postrouting-in__docker0 {
+    	}
+
+    	chain nat-postrouting-out__docker0 {
+    		oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade comment "MASQUERADE"
+    	}
+
@@ -0,0 +1,166 @@
+## Containers on user-defined --internal networks
+
+These are the rules for two containers on different `--internal` networks, with and
+without inter-container communication (ICC).
+
+Equivalent to:
+
+	docker network create \
+	  -o com.docker.network.bridge.name=bridgeICC \
+	  --internal \
+	  --subnet 192.0.2.0/24 --gateway 192.0.2.1 bridge1
+	docker run --network bridgeICC --name c1 busybox
+
+	docker network create \
+	  -o com.docker.network.bridge.name=bridgeNoICC \
+	  -o com.docker.network.bridge.enable_icc=true \
+	  --internal \
+	  --subnet 198.51.100.0/24 --gateway 198.51.100.1 bridge1
+	docker run --network bridgeNoICC --name c1 busybox
+
+Most rules are the same as the network with [external access][0]:
+
+<details>
+<summary>Full table ...</summary>
+
+    table ip docker-bridges {
+    	map filter-forward-in-jumps {
+    		type ifname : verdict
+    		elements = { "docker0" : jump filter-forward-in__docker0,
+    			     "bridgeICC" : jump filter-forward-in__bridgeICC,
+    			     "bridgeNoICC" : jump filter-forward-in__bridgeNoICC }
+    	}
+    
+    	map filter-forward-out-jumps {
+    		type ifname : verdict
+    		elements = { "docker0" : jump filter-forward-out__docker0,
+    			     "bridgeICC" : jump filter-forward-out__bridgeICC,
+    			     "bridgeNoICC" : jump filter-forward-out__bridgeNoICC }
+    	}
+    
+    	map nat-postrouting-in-jumps {
+    		type ifname : verdict
+    		elements = { "docker0" : jump nat-postrouting-in__docker0,
+    			     "bridgeICC" : jump nat-postrouting-in__bridgeICC,
+    			     "bridgeNoICC" : jump nat-postrouting-in__bridgeNoICC }
+    	}
+    
+    	map nat-postrouting-out-jumps {
+    		type ifname : verdict
+    		elements = { "docker0" : jump nat-postrouting-out__docker0,
+    			     "bridgeICC" : jump nat-postrouting-out__bridgeICC,
+    			     "bridgeNoICC" : jump nat-postrouting-out__bridgeNoICC }
+    	}
+    
+    	chain filter-FORWARD {
+    		type filter hook forward priority filter; policy accept;
+    		oifname vmap @filter-forward-in-jumps
+    		iifname vmap @filter-forward-out-jumps
+    	}
+    
+    	chain nat-OUTPUT {
+    		type nat hook output priority -100; policy accept;
+    		ip daddr != 127.0.0.0/8 fib daddr type local counter jump nat-prerouting-and-output
+    	}
+    
+    	chain nat-POSTROUTING {
+    		type nat hook postrouting priority srcnat; policy accept;
+    		iifname vmap @nat-postrouting-out-jumps
+    		oifname vmap @nat-postrouting-in-jumps
+    	}
+    
+    	chain nat-PREROUTING {
+    		type nat hook prerouting priority dstnat; policy accept;
+    		fib daddr type local counter jump nat-prerouting-and-output
+    	}
+    
+    	chain nat-prerouting-and-output {
+    	}
+    
+    	chain raw-PREROUTING {
+    		type filter hook prerouting priority raw; policy accept;
+    	}
+    
+    	chain filter-forward-in__docker0 {
+    		ct state established,related counter accept
+    		iifname "docker0" counter accept comment "ICC"
+    		counter drop comment "UNPUBLISHED PORT DROP"
+    	}
+    
+    	chain filter-forward-out__docker0 {
+    		ct state established,related counter accept
+    		counter accept comment "OUTGOING"
+    	}
+    
+    	chain nat-postrouting-in__docker0 {
+    	}
+    
+    	chain nat-postrouting-out__docker0 {
+    		oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade comment "MASQUERADE"
+    	}
+    
+    	chain filter-forward-in__bridgeICC {
+    		ct state established,related counter accept
+    		iifname != "bridgeICC" counter drop comment "INTERNAL NETWORK INGRESS"
+    		counter accept comment "ICC"
+    	}
+    
+    	chain filter-forward-out__bridgeICC {
+    		ct state established,related counter accept
+    		oifname != "bridgeICC" counter drop comment "INTERNAL NETWORK EGRESS"
+    	}
+    
+    	chain nat-postrouting-in__bridgeICC {
+    	}
+    
+    	chain nat-postrouting-out__bridgeICC {
+    	}
+    
+    	chain filter-forward-in__bridgeNoICC {
+    		ct state established,related counter accept
+    		iifname != "bridgeNoICC" counter drop comment "INTERNAL NETWORK INGRESS"
+    		counter drop comment "ICC"
+    	}
+    
+    	chain filter-forward-out__bridgeNoICC {
+    		ct state established,related counter accept
+    		oifname != "bridgeNoICC" counter drop comment "INTERNAL NETWORK EGRESS"
+    	}
+    
+    	chain nat-postrouting-in__bridgeNoICC {
+    	}
+    
+    	chain nat-postrouting-out__bridgeNoICC {
+    	}
+    }
+    
+
+</details>
+
+The filter-forward-in chains have rules to drop packets originating outside
+the network. And, with ICC disabled, the final verdict is drop rather than
+accept:
+
+    	chain filter-forward-in__bridgeICC {
+    		ct state established,related counter accept
+    		iifname != "bridgeICC" counter drop comment "INTERNAL NETWORK INGRESS"
+    		counter accept comment "ICC"
+    	}
+
+    	chain filter-forward-in__bridgeNoICC {
+    		ct state established,related counter accept
+    		iifname != "bridgeNoICC" counter drop comment "INTERNAL NETWORK INGRESS"
+    		counter drop comment "ICC"
+    	}
+
+
+The nat-postrouting-out chains have no masquerade rules:
+
+    	chain nat-postrouting-out__bridgeICC {
+    	}
+
+    	chain nat-postrouting-out__bridgeNoICC {
+    	}
+
+
+[0]: usernet-portmap.md