From 1f96ec16ecdb98b83244b4c97faf314552948924 Mon Sep 17 00:00:00 2001
From: Gerard Ryan <G.M0N3Y.2503@gmail.com>
Date: Wed, 27 Apr 2022 21:11:14 +1000
Subject: dockerd: Add firewall independent dependencies

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
---
 utils/dockerd/files/etc/config/dockerd | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'utils/dockerd/files')

diff --git a/utils/dockerd/files/etc/config/dockerd b/utils/dockerd/files/etc/config/dockerd
index 196391a86..dd7523543 100644
--- a/utils/dockerd/files/etc/config/dockerd
+++ b/utils/dockerd/files/etc/config/dockerd
@@ -21,8 +21,15 @@ config globals 'globals'
 #	list registry_mirrors 'https://<my-docker-mirror-host>'
 #	list registry_mirrors 'https://hub.docker.com'
 
-# Docker ignores fw3 rules and by default all external source IPs are allowed to connect to the Docker host.
+# Docker doesn't work well out of the box with fw4. This is because Docker relies on a compatibility layer that
+# naively translates iptables rules. For the best compatibility replace the following dependencies:
+# `firewall4` -> `firewall`
+# `iptables-nft` -> `iptables-legacy`
+# `ip6tables-nft` -> `ip6tables-legacy`
+
+# Docker undermines the fw3 rules. By default all external source IPs are allowed to connect to the Docker host.
 # See https://docs.docker.com/network/iptables/ for more details.
+
 # firewall config changes are only additive i.e firewall will need to be restarted first to clear old changes,
 # then docker restarted to load in new changes.
 config firewall 'firewall'
-- 
cgit v1.2.3