Bug 1690448

Summary: update iptables to 1.8.2 to fix startup errors of dockerd / moby-engine
Product: [Fedora] Fedora Reporter: Georg Müller <georgmueller>
Component: iptablesAssignee: Phil Sutter <psutter>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: fedora, jpopelka, psutter, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 19:11:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Georg Müller 2019-03-19 13:57:40 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
iptables-1.8.0-3.fc29.x86_64
moby-engine-18.06.0-2.ce.git0ffa825.fc29.x86_64

How reproducible:

Steps to Reproduce:
1. update-alternatives --config iptables
 -> select iptables-nft
2. systemctl restart docker (or maybe the whole system)

Actual results:
docker fails to start:
Error starting daemon: Error initializing network controller: error obtaining controller instance: unable to add return rule in DOCKER-ISOLATION-STAGE-1 chain:  (COMMAND_FAILED: '/usr/sbin/iptables -w10 -A DOCKER-ISOLATION-STAGE-1 -j RETURN' failed: iptables v1.8.0 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain DOCKER-ISOLATION-STAGE-1

Expected results:
docker starts

Additional info:
The problem is caused by a bug in iptables 1.8.0, which is fixed in iptables 1.8.1 (and thus also in 1.8.2)

https://git.netfilter.org/iptables/commit/?id=03572549df349455fcade80dfab0b28904975330

The Problem with iptables-1.8.0 is the following behavior glitch:

$ iptables-legacy -t filter -n -L FOO-BAR-TEST
iptables: No chain/target/match by that name.
$ echo $?
1

$ iptables-nft -t filter -n -L FOO-BAR-TEST
# Warning: iptables-legacy tables present, use iptables-legacy to see them
$ echo $?
0

docker relies on iptables -L throwing an error if a table does not exist.
Comment 1 Phil Sutter 2019-06-08 19:11:59 UTC 
F30 contains the requested update.