├── README.md
└── docker-nft.conf


/README.md:
--------------------------------------------------------------------------------
1 | # docker-nftables-scripts
2 | Scripts for running docker against nftables instead of iptables
3 | 
4 | docker-nft.conf Is a baseline for docker iptables ported to nft
5 | 
6 | be sure to run `dockerd --iptables=false` 
7 | 


--------------------------------------------------------------------------------
/docker-nft.conf:
--------------------------------------------------------------------------------
 1 | table inet docker {
 2 |   chain forward {
 3 |     type filter hook forward priority 0; policy drop;
 4 |     jump docker-user
 5 |     jump docker-isolation-stage-1
 6 |     oif docker0 ct state {established, related} counter accept
 7 |     oif docker0 jump docker
 8 |     oif docker0 iif != docker0 accept
 9 |     oif docker0 iif docker0 accept
10 |   }
11 |   
12 |   chain output {
13 |     type filter hook output priority 0;
14 |     meta oifkind "veth" accept
15 |   }
16 | 
17 |   chain docker {
18 |   }
19 | 
20 |   chain docker-isolation-stage-1 {
21 |     iif docker0 oif != docker0 jump docker-isolation-stage-2
22 |     return
23 |   }
24 | 
25 |   chain docker-isolation-stage-2 {
26 |     oif docker0 drop
27 |     return
28 |   }
29 | 
30 |   chain docker-user {
31 |     return
32 |   }
33 | }
34 | 
35 | table ip dockernat {
36 |   chain prerouting {
37 |     type nat hook prerouting priority 0;
38 |     fib daddr type local jump docker
39 |   }
40 |   chain output {
41 |     type nat hook output priority 0;
42 |     ip daddr != 127.0.0.0/8 fib daddr type local jump docker
43 |   }
44 |   chain postrouting {
45 |     type nat hook postrouting priority 0;
46 |     oif != docker0 ip saddr 172.16.0.0/16 masquerade
47 |   }
48 | 
49 |   chain docker {
50 |     iif docker0 return 
51 |   }
52 | }
53 | 


--------------------------------------------------------------------------------