From 1911dedcf2e71efeef35c5317a3522ae6fbd61f0 Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Wed, 6 Nov 2024 14:47:53 +0000 Subject: [PATCH] Add --ip-filter-forward-drop Added to the dockerd cmdline ref and its manpage. Signed-off-by: Rob Murray --- docs/reference/dockerd.md | 3 ++- man/dockerd.8.md | 14 ++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/docs/reference/dockerd.md b/docs/reference/dockerd.md index de8011c2b63d..97b9d23e3f26 100644 --- a/docs/reference/dockerd.md +++ b/docs/reference/dockerd.md @@ -72,7 +72,8 @@ Options: --init-path string Path to the docker-init binary --insecure-registry list Enable insecure registry communication --ip ip Default IP when binding container ports (default 0.0.0.0) - --ip-forward Enable net.ipv4.ip_forward (default true) + --ip-forward Enable IP forwarding in system configuration (default true) + --ip-forward-no-drop Do not set the filter-FORWARD policy to DROP when enabling IP forwarding --ip-masq Enable IP masquerading (default true) --ip6tables Enable addition of ip6tables rules (experimental) --iptables Enable addition of iptables rules (default true) diff --git a/man/dockerd.8.md b/man/dockerd.8.md index 3bb226a21241..96c0c9033cd8 100644 --- a/man/dockerd.8.md +++ b/man/dockerd.8.md @@ -44,6 +44,7 @@ dockerd - Enable daemon mode [**--insecure-registry**[=*[]*]] [**--ip**[=*0.0.0.0*]] [**--ip-forward**[=**true**]] +[**--ip-forward-no-drop**[=**true**]] [**--ip-masq**[=**true**]] [**--iptables**[=**true**]] [**--ipv6**] @@ -289,11 +290,20 @@ unix://[/path/to/socket] to use. has no effect. This setting will also enable IPv6 forwarding if you have both - **--ip-forward=true** and **--fixed-cidr-v6** set. Note that this may reject - Router Advertisements and interfere with the host's existing IPv6 + **--ip-forward=true** and an IPv6 enabled bridge network. Note that this + may reject Router Advertisements and interfere with the host's existing IPv6 configuration. For more information, consult the documentation about "Advanced Networking - IPv6". +**--ip-forward-no-drop**=**true**|**false** + When **false**, the default, if Docker enables IP forwarding itself (see + **--ip-forward**), and **--iptables** or **--ip6tables** are enabled, it + also sets the default policy for the FORWARD chain in the iptables or + ip6tables filter table to DROP. + + When **true**, and when IP forwarding is already enabled, Docker does + not modify the default policy of the FORWARD chain. + **--ip-masq**=**true**|**false** Enable IP masquerading for bridge's IP range. Default is **true**.