Add --ip-filter-forward-drop

Added to the dockerd cmdline ref and its manpage. Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-11-06 14:47:53 +00:00 · 2024-11-06 14:47:53 +00:00 · 1911dedcf2
parent 2369935bdb
commit 1911dedcf2
2 changed files with 14 additions and 3 deletions
--- a/docs/reference/dockerd.md
+++ b/docs/reference/dockerd.md
@ -72,7 +72,8 @@ Options:
      --init-path string                      Path to the docker-init binary
      --insecure-registry list                Enable insecure registry communication
      --ip ip                                 Default IP when binding container ports (default 0.0.0.0)
-      --ip-forward                            Enable net.ipv4.ip_forward (default true)
+      --ip-forward                            Enable IP forwarding in system configuration (default true)
+      --ip-forward-no-drop                    Do not set the filter-FORWARD policy to DROP when enabling IP forwarding
      --ip-masq                               Enable IP masquerading (default true)
      --ip6tables                             Enable addition of ip6tables rules (experimental)
      --iptables                              Enable addition of iptables rules (default true)
--- a/man/dockerd.8.md
+++ b/man/dockerd.8.md
@ -44,6 +44,7 @@ dockerd - Enable daemon mode
 [**--insecure-registry**[=*[]*]]
 [**--ip**[=*0.0.0.0*]]
 [**--ip-forward**[=**true**]]
+[**--ip-forward-no-drop**[=**true**]]
 [**--ip-masq**[=**true**]]
 [**--iptables**[=**true**]]
 [**--ipv6**]
@ -289,11 +290,20 @@ unix://[/path/to/socket] to use.
  has no effect.

  This setting will also enable IPv6 forwarding if you have both
-  **--ip-forward=true** and **--fixed-cidr-v6** set. Note that this may reject
-  Router Advertisements and interfere with the host's existing IPv6
+  **--ip-forward=true** and an IPv6 enabled bridge network. Note that this
+  may reject Router Advertisements and interfere with the host's existing IPv6
  configuration. For more information, consult the documentation about
  "Advanced Networking - IPv6".

+**--ip-forward-no-drop**=**true**|**false**
+  When **false**, the default, if Docker enables IP forwarding itself (see
+  **--ip-forward**), and **--iptables** or **--ip6tables** are enabled, it
+  also sets the default policy for the FORWARD chain in the iptables or
+  ip6tables filter table to DROP.
+
+  When **true**, and when IP forwarding is already enabled, Docker does
+  not modify the default policy of the FORWARD chain.
+
 **--ip-masq**=**true**|**false**
  Enable IP masquerading for bridge's IP range. Default is **true**.