Petr TesaříkMar 25
If your firewall starts behaving strangely after installing #docker on #opensuse #slowroll, the reason is that firewalld has switched to nft, but docker still uses iptables. You may have to install iptables (the CLI tool) to fix the damage.
Show threadTomáš Janoušek
@ptesarik also I've heard that in this setup docker container ports might be exposed to the internet despite whatever firewalld config because the two interact a bit weird

better double check, or — I'd recommend this — switch to rootless docker/podman which doesn't touch iptables at all
Mar 25 at 1:39pmWeb
Show threadPetr TesaříkMar 25

@liskin By now, docker has left my system and will never make a comeback. But why did nobody warn me before I broke my system?

Besides, why didn't the #opensuse docker package revert those changes to iptables at unistall time?

Show threadTomáš JanoušekMar 25
@ptesarik oh actually more vaguely remembering time - there's iptables the original and iptables-via-nftables shim

I have no idea which of these is better, but fairly certain the behaviour is different in surprising ways.

(also libvirt does something similar but I think they support nftables already?)
Show threadPetr TesaříkMar 25
@liskin It's complicated. Short answer: Yes, libvirt can work just fine with nft.
Long answer: Read this:
https://libvirt.org/firewall.html
libvirt: Firewall and network filtering in libvirt

libvirt, virtualization, virtualization API

Show threadTomáš JanoušekMar 25
@ptesarik oh right they explicitly detect and use firewalld, even better