4

Running docker info in WSL2 (both on ArchWSL and Ubuntu 20.04) I get the following warnings:

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Both properties appears to be enabled at sysctl level:

$ sysctl net.bridge.bridge-nf-call-iptables
net.bridge.bridge-nf-call-iptables = 1

$ sysctl net.bridge.bridge-nf-call-ip6tables
net.bridge.bridge-nf-call-ip6tables = 1

It is unclear from the messages whether that prevents any normal functioning of Docker or there is any action required from the user.

Does anyone know if there is anything to do to remove this warning?

Using Docker version 19.03.12, build 48a66213fe.

Marco Lackovic
  • 6,077
  • 7
  • 55
  • 56
  • There is an answer in another question: https://stackoverflow.com/a/64009376/12524146 – PaulLiss Sep 22 '20 at 12:10
  • Not sure whether that answer is related to WSL2: when I try to run `modprobe br_netfilter` I get the following error: `modprobe: FATAL: Module br_netfilter not found in directory /lib/modules/4.19.128-microsoft-standard` – Marco Lackovic Sep 23 '20 at 09:29

2 Answers2

1

Please try the following commands

sudo echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
sudo echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf
sudo modprobe br_netfilter
sudo sysctl -p /etc/sysctl.conf
Ahmad Ismail
  • 11,636
  • 6
  • 52
  • 87
  • 2
    Could you improve your answer and explain what does these commands do? – lubrum Jan 24 '23 at 04:20
  • It should be `echo "..." | sudo tee -a` since `sudo echo ...` is uesless: https://stackoverflow.com/questions/84882/sudo-echo-something-etc-privilegedfile-doesnt-work – n0099 Feb 28 '23 at 15:06
1

It likely depends on your topology, e.g. if you have containers in a single user-created bridge there's probably no functional impact. Docker has the following to say HERE, which I take to mean that Docker configures iptables to influence the forwarding, modification, filtering, etc, of traffic between containers located in different bridges (or between a bridge and the outside world, etc).

When you create or remove a user-defined bridge or connect or disconnect a container from a user-defined bridge, Docker uses tools specific to the operating system to manage the underlying network infrastructure (such as adding or removing bridge devices or configuring iptables rules on Linux).

When net.bridge.bridge-nf-call-iptables and net.bridge.bridge-nf-call-ip6tables are set to 1, packets traversing a bridge are also copied to iptables. There's really good info HERE regarding all of this and also regarding timing issues, like setting these parameters and then LATER creating a bridge.

To see what Docker (and other things like libvirt) have done to your iptables, you can use sudo iptables --list

Finally, I'd advise to look in /etc/sysctl.d first (to see what's already there) before modifying /etc/sysctl.conf. Granted, sysctl.conf is read last (at least on Ubuntu 22.04.2) via a symlink in /etc/sysctl.d (assuming a file hasn't been added that would be read after 99-sysctl.conf), so anything done in sysctl.conf will overwrite what's in /etc/sysctl.d, but generally it's just not pretty to configure things in two places, IMHO.

Allen Robel
  • 11
  • 4