Petr Tesařík
Fernando F. Mancera@ptesarik Shouldn't docker be using iptables-nft by default on openSUSE?
Or am I missing something?
@ffmancera No idea. All I know is that packets were no longer forwarded through my default (NAT) libvirt network, and it took me way too long to find out that docker installation/startup did the equivalent of
iptables -P FORWARD DROP. It was not visible anywhere in the output of nft list ruleset.@ptesarik oh that is too bad
Oleksandr Natalenko, MSE 
@ptesarik Too bad docker is still used.
@oleksandr Please, yes, go fix cobbler to use a better tool for
https://github.com/cobbler/cobbler
make test-debian12:https://github.com/cobbler/cobbler
Tomáš Janoušek@ptesarik also I've heard that in this setup docker container ports might be exposed to the internet despite whatever firewalld config because the two interact a bit weird
better double check, or — I'd recommend this — switch to rootless docker/podman which doesn't touch iptables at all
better double check, or — I'd recommend this — switch to rootless docker/podman which doesn't touch iptables at all
@ptesarik oh actually more vaguely remembering time - there's iptables the original and iptables-via-nftables shim
I have no idea which of these is better, but fairly certain the behaviour is different in surprising ways.
(also libvirt does something similar but I think they support nftables already?)
I have no idea which of these is better, but fairly certain the behaviour is different in surprising ways.
(also libvirt does something similar but I think they support nftables already?)
@liskin It's complicated. Short answer: Yes, libvirt can work just fine with nft.
Long answer: Read this:
https://libvirt.org/firewall.html
Long answer: Read this:
https://libvirt.org/firewall.html
@ptesarik oh right they explicitly detect and use firewalld, even better