nftables: never enable IP forwarding on the host

[robmry]

- What I did

• fix nftables: IP forwarding, and filter-FORWARD policy #50566
• replaces nftables: preserve filter-FORWARD drop policy on restart/upgrade #50576
• replaces nftables: allow all IP forwarding #50634

When Docker is using iptables and it enables IP forwarding, unless daemon option --ip-forward-no-drop is true, it sets the iptables filter-FORWARD policy to DROP.

When running with nftables - don't do that, raise an error if forwarding is needed but not enabled, unless --ip-forward=false.

On a host without IPv4 forwarding enabled, nftables firewall backend, and other settings at defaults - the daemon will fail to start when it tries to create the default bridge. It will fail to restore other networks, but those errors are only logged, not sure why. In other cases, for example --bridge=none or creating an IPv6 network when IPv6 global forwarding is disabled, network creation will fail with an error.

Log a warning when migrating from iptables to nftables when the iptables policy is DROP, because it'll drop packets that have been accepted by nftables rules (so, for example, published ports won't work).

In 29.0, nftables is opt-in, and will be documented as "experimental". So, if we get push-back on this or come up with better ideas, we'll be able to change it.

Docs will need an update to say it's the user's responsibility to update their firewall rules to block unwanted forwarding between non-Docker network interfaces.

- How I did it

• The first two commits are tidy-up - only nftabler needs an iptables cleaner, and only the iptabler (now) needs a method to set the filter-FORWARD policy. So, use those types directly in the bridge driver when needed.
• Raise the error when using nftables and forwarding is not enabled, and update tests.
• Log a warning about the iptables policy on migration to nftables.
• Enable IP forwarding in rootlesskit's netns, before starting the daemon.
• Update check-config.sh to report on the IP forwarding sysctls.

- How to verify it

• Start Docker with IP forwarding disabled and --firewall-backend=iptables - check the filter-FORWARD policies are DROP.
• Start Docker again with --firewall-backend=nftables, check logs for a warning about the iptables policy, for example ...

WARN[2025-08-06T13:26:03.383667797Z] Network traffic for published ports may be dropped, iptables chain FORWARD has policy DROP.  ipv=ipv4

• Disable IP forwarding, restart with nftables, check the daemon fails with an error ...

failed to start daemon: Error initializing network controller: error creating default "bridge" network: IPv4 forwarding is disabled: check your host's firewalling and set sysctl net.ipv4.ip_forward=1, or disable this check using daemon option --ip-forward=false

• With rootless Docker, checked a dual-stack bridge network was created ok with nftables (and wasn't without the sysctls in this PR), and that port publishing worked.

And, updated tests.

- Human readable description for the release notes

- nftables: Docker will not enable IP forwarding on the host. If forwarding is needed by a bridge network, but not enabled, daemon startup or network creation will fail with an error. You must either enable forwarding and ensure firewall rules are in place to prevent unwanted forwarding between non-Docker interfaces. Or, use daemon option `--ip-forward=false` to disable the check, but some bridge network functionality including port forwarding may not work. See [Engine Docs](https://docs.docker.com/engine/network/firewall-nftables) for more information about migration from iptables to nftables.

[robmry]

@AkihiroSuda - one of the commits here enables the IP forwarding sysctls in rootlesskit's netns ...

With --firewall-backend=nftables (which will eventually become the default), this PR makes it the user's job to configure their kernel as an installation step.

The dockerd-rootless change here enables forwarding whether using iptables or nftables. I don't think there's any harm in that, there aren't any non-Docker interfaces to forward between (apart from the netns's main tap0 interface, which needs forwarding enabled for port publishing to work anyway). It means Docker with iptables won't set a default DROP policy on the FORWARD chain, but I think that's also ok as there's no non-Docker traffic to forward.

Not sure whether I've put the sysctl commands in the best place?

[akerouanton]

One nit, otherwise LGTM. Thanks!

[austinvazquez]

Changes LGTM on green CI run. At a glance, the current failures are all related to known flaky test or unknown CI issue.

[austinvazquez]

Needs rebase for CI fixes, then g2g. 👍🏼

[thaJeztah]

code looks sane to me; left some ramblings (as usual). Not merging as I wasn't sure if you wanted additional review from Cory

LGTM

[thaJeztah]

Not for this PR, just that my curiosity led me there; this looks to be the only place where we call fw.SetFirewallCleaner to a non nil value, and the constructor is above.

Which made me curious if this should be done as part of the constructor, possibly with a DisableCleaner(), DestroyCleaner, StopCleaning() (or whatever) on the Nftabler type.

[robmry]

As soon as I get a chance - I'll keep the cleaner in the bridge driver so the firewaller implementation(s) don't need to call it (review comment from @akerouanton) ... it's a bit simpler this way, because the current firewaller has all the context for deleting old rules, the bridge driver will need to fish it out somehow. But, Albin's right, if we ever add a new firewaller it shouldn't really need to call the cleaner itself.

[thaJeztah]

Curious; was information missing in the error, or did you pre-emptively add this? Because os.ReadFile (and other file operations from stdlib) should usually return a fs.PathError / os.PathError, which already decorates the error with "Op" (e.g. open ), Path, and the error; https://github.com/golang/go/blob/768c51e368e05739854c1413fdf7fd129d01e482/src/io/fs/fs.go#L250-L255

// PathError records an error and the operation and file path that caused it.
type PathError struct {
    Op   string
    Path string
    Err  error
}

[robmry]

Oh, probably preemptive - I'll get rid of it.

[thaJeztah]

Ah! The other IPVersion type 😂

Not for this PR, but it got me curious; is this always either/or, or could be "both"? Considering that the other type has that as an option (so if it could set both values at once);

moby/daemon/libnetwork/types/types.go

Lines 17 to 23 in 0b1b5bf

	type IPFamily int
	const (
	IP IPFamily = syscall.AF_UNSPEC // Either IPv4 or IPv6.
	IPv4 IPFamily = syscall.AF_INET // Internet Protocol version 4 (IPv4).
	IPv6 IPFamily = syscall.AF_INET6 // Internet Protocol version 6 (IPv6).
	)

[robmry]

For the firewaller, it's always either/or ... with iptables/ip6tables the rules are always separate. I decided to keep it that way in nftables too (although it has an inet type as well as ip/ip6, so one table can deal with both families).

But, for us, there's not much advantage in trying to combine them. The rules for bridge networks can be configured quite differently for v4/v6 ... for example, NAT for v4 and direct routing for v6.