docker/nftables-docker.nft

table ip filter {
	chain INPUT {
		type filter hook input priority 0; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
		counter jump DOCKER-USER
		counter jump DOCKER-ISOLATION-STAGE-1
		oifname "docker0" ct state established,related counter accept
		oifname "docker0" counter jump DOCKER
		iifname "docker0" oifname != "docker0" counter accept
		iifname "docker0" oifname "docker0" counter accept
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
	}

	chain DOCKER {
	}

	chain DOCKER-ISOLATION-STAGE-1 {
		iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2
		counter return
	}

	chain DOCKER-ISOLATION-STAGE-2 {
		oifname "docker0" counter drop
		counter return
	}

	chain DOCKER-USER {
		counter return
	}
}
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority -100; policy accept;
		fib daddr type local counter jump DOCKER
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority 100; policy accept;
		oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
		ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
	}

	chain DOCKER {
		iifname "docker0" counter return
	}
}
24.0.2 2024-04-10 20:04:25 +00:00			`table ip filter {`
			`chain INPUT {`
			`type filter hook input priority 0; policy accept;`
			`}`

			`chain FORWARD {`
			`type filter hook forward priority 0; policy accept;`
			`counter jump DOCKER-USER`
			`counter jump DOCKER-ISOLATION-STAGE-1`
			`oifname "docker0" ct state established,related counter accept`
			`oifname "docker0" counter jump DOCKER`
			`iifname "docker0" oifname != "docker0" counter accept`
			`iifname "docker0" oifname "docker0" counter accept`
			`}`

			`chain OUTPUT {`
			`type filter hook output priority 0; policy accept;`
			`}`

			`chain DOCKER {`
			`}`

			`chain DOCKER-ISOLATION-STAGE-1 {`
			`iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2`
			`counter return`
			`}`

			`chain DOCKER-ISOLATION-STAGE-2 {`
			`oifname "docker0" counter drop`
			`counter return`
			`}`

			`chain DOCKER-USER {`
			`counter return`
			`}`
			`}`
			`table ip nat {`
			`chain PREROUTING {`
			`type nat hook prerouting priority -100; policy accept;`
			`fib daddr type local counter jump DOCKER`
			`}`

			`chain INPUT {`
			`type nat hook input priority 100; policy accept;`
			`}`

			`chain POSTROUTING {`
			`type nat hook postrouting priority 100; policy accept;`
			`oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade`
			`}`

			`chain OUTPUT {`
			`type nat hook output priority -100; policy accept;`
			`ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER`
			`}`

			`chain DOCKER {`
			`iifname "docker0" counter return`
			`}`
			`}`