moby · akerouanton · May 24, 2024 · Apr 30, 2024 · Apr 24, 2024 · Apr 24, 2024
diff --git a/cmd/dockerd/config_unix.go b/cmd/dockerd/config_unix.go
@@ -28,7 +28,7 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 	flags.BoolVar(&conf.EnableSelinuxSupport, "selinux-enabled", false, "Enable selinux support")
 	flags.Var(opts.NewNamedUlimitOpt("default-ulimits", &conf.Ulimits), "default-ulimit", "Default ulimits for containers")
 	flags.BoolVar(&conf.BridgeConfig.EnableIPTables, "iptables", true, "Enable addition of iptables rules")
-	flags.BoolVar(&conf.BridgeConfig.EnableIP6Tables, "ip6tables", false, "Enable addition of ip6tables rules (experimental)")
+	flags.BoolVar(&conf.BridgeConfig.EnableIP6Tables, "ip6tables", true, "Enable addition of ip6tables rules")
 	flags.BoolVar(&conf.BridgeConfig.EnableIPForward, "ip-forward", true, "Enable net.ipv4.ip_forward")
 	flags.BoolVar(&conf.BridgeConfig.EnableIPMasq, "ip-masq", true, "Enable IP masquerading")
 	flags.BoolVar(&conf.BridgeConfig.EnableIPv6, "ipv6", false, "Enable IPv6 networking")

diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
@@ -737,11 +737,13 @@ func verifyDaemonSettings(conf *config.Config) error {
 	if conf.BridgeConfig.Iface != "" && conf.BridgeConfig.IP != "" {
 		return fmt.Errorf("You specified -b & --bip, mutually exclusive options. Please specify only one")
 	}
-	if !conf.BridgeConfig.EnableIPTables && !conf.BridgeConfig.InterContainerCommunication {
-		return fmt.Errorf("You specified --iptables=false with --icc=false. ICC=false uses iptables to function. Please set --icc or --iptables to true")
-	}
-	if conf.BridgeConfig.EnableIP6Tables && !conf.Experimental {
-		return fmt.Errorf("ip6tables rules are only available if experimental features are enabled")
+	if !conf.BridgeConfig.InterContainerCommunication {
+		if !conf.BridgeConfig.EnableIPTables {
+			return fmt.Errorf("You specified --iptables=false with --icc=false. ICC=false uses iptables to function. Please set --icc or --iptables to true")
+		}
+		if conf.BridgeConfig.EnableIPv6 && !conf.BridgeConfig.EnableIP6Tables {
+			return fmt.Errorf("You specified --ip6tables=false with --icc=false. ICC=false uses ip6tables to function. Please set --icc or --ip6tables to true")
+		}
 	}
 	if !conf.BridgeConfig.EnableIPTables && conf.BridgeConfig.EnableIPMasq {
 		conf.BridgeConfig.EnableIPMasq = false

diff --git a/integration-cli/docker_api_swarm_test.go b/integration-cli/docker_api_swarm_test.go
@@ -861,7 +861,7 @@ func (s *DockerSwarmSuite) TestAPISwarmRestartCluster(c *testing.T) {
 		for _, d := range nodes {
 			go func(daemon *daemon.Daemon) {
 				defer wg.Done()
-				if err := daemon.StartWithError("--iptables=false"); err != nil {
+				if err := daemon.StartWithError("--iptables=false", "--ip6tables=false"); err != nil {
 					errs <- err
 				}
 			}(d)

diff --git a/integration-cli/docker_cli_logs_test.go b/integration-cli/docker_cli_logs_test.go
@@ -292,7 +292,7 @@ func (s *DockerCLILogsSuite) TestLogsFollowGoroutinesWithStdout(c *testing.T) {
 		d.Stop(c)
 		d.Cleanup(c)
 	}()
-	d.StartWithBusybox(ctx, c, "--iptables=false")
+	d.StartWithBusybox(ctx, c, "--iptables=false", "--ip6tables=false")
 
 	out, err := d.Cmd("run", "-d", "busybox", "/bin/sh", "-c", "while true; do echo hello; sleep 2; done")
 	assert.NilError(c, err)
@@ -349,7 +349,7 @@ func (s *DockerCLILogsSuite) TestLogsFollowGoroutinesNoOutput(c *testing.T) {
 
 	ctx := testutil.GetContext(c)
 
-	d.StartWithBusybox(ctx, c, "--iptables=false")
+	d.StartWithBusybox(ctx, c, "--iptables=false", "--ip6tables=false")
 
 	out, err := d.Cmd("run", "-d", "busybox", "/bin/sh", "-c", "while true; do sleep 2; done")
 	assert.NilError(c, err)

diff --git a/integration/container/daemon_linux_test.go b/integration/container/daemon_linux_test.go
@@ -41,7 +41,7 @@ func TestContainerStartOnDaemonRestart(t *testing.T) {
 	ctx := testutil.StartSpan(baseContext, t)
 
 	d := daemon.New(t)
-	d.StartWithBusybox(ctx, t, "--iptables=false")
+	d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false")
 	defer d.Stop(t)
 
 	c := d.NewClientT(t)
@@ -66,7 +66,7 @@ func TestContainerStartOnDaemonRestart(t *testing.T) {
 	err = unix.Kill(ppid, unix.SIGKILL)
 	assert.Check(t, err, "failed to kill containerd-shim")
 
-	d.Start(t, "--iptables=false")
+	d.Start(t, "--iptables=false", "--ip6tables=false")
 
 	err = c.ContainerStart(ctx, cID, containertypes.StartOptions{})
 	assert.Check(t, err, "failed to start test container")
@@ -95,7 +95,7 @@ func TestDaemonRestartIpcMode(t *testing.T) {
 	ctx := testutil.StartSpan(baseContext, t)
 
 	d := daemon.New(t)
-	d.StartWithBusybox(ctx, t, "--iptables=false", "--default-ipc-mode=private")
+	d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false", "--default-ipc-mode=private")
 	defer d.Stop(t)
 
 	c := d.NewClientT(t)
@@ -112,7 +112,7 @@ func TestDaemonRestartIpcMode(t *testing.T) {
 	assert.Check(t, is.Equal(string(inspect.HostConfig.IpcMode), "private"))
 
 	// restart the daemon with shareable default ipc mode
-	d.Restart(t, "--iptables=false", "--default-ipc-mode=shareable")
+	d.Restart(t, "--iptables=false", "--ip6tables=false", "--default-ipc-mode=shareable")
 
 	// check the container is still having private ipc mode
 	inspect, err = c.ContainerInspect(ctx, cID)
@@ -144,7 +144,7 @@ func TestDaemonHostGatewayIP(t *testing.T) {
 	// Verify the IP in /etc/hosts is same as host-gateway-ip
 	d := daemon.New(t)
 	// Verify the IP in /etc/hosts is same as the default bridge's IP
-	d.StartWithBusybox(ctx, t, "--iptables=false")
+	d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false")
 	c := d.NewClientT(t)
 	cID := container.Run(ctx, t, c,
 		container.WithExtraHost("host.docker.internal:host-gateway"),
@@ -160,7 +160,7 @@ func TestDaemonHostGatewayIP(t *testing.T) {
 	d.Stop(t)
 
 	// Verify the IP in /etc/hosts is same as host-gateway-ip
-	d.StartWithBusybox(ctx, t, "--iptables=false", "--host-gateway-ip=6.7.8.9")
+	d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false", "--host-gateway-ip=6.7.8.9")
 	cID = container.Run(ctx, t, c,
 		container.WithExtraHost("host.docker.internal:host-gateway"),
 	)
@@ -195,7 +195,7 @@ func TestRestartDaemonWithRestartingContainer(t *testing.T) {
 	d := daemon.New(t)
 	defer d.Cleanup(t)
 
-	d.StartWithBusybox(ctx, t, "--iptables=false")
+	d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false")
 	defer d.Stop(t)
 
 	apiClient := d.NewClientT(t)
@@ -212,7 +212,7 @@ func TestRestartDaemonWithRestartingContainer(t *testing.T) {
 		c.HasBeenStartedBefore = true
 	})
 
-	d.Start(t, "--iptables=false")
+	d.Start(t, "--iptables=false", "--ip6tables=false")
 
 	ctxTimeout, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
@@ -241,7 +241,7 @@ func TestHardRestartWhenContainerIsRunning(t *testing.T) {
 	d := daemon.New(t)
 	defer d.Cleanup(t)
 
-	d.StartWithBusybox(ctx, t, "--iptables=false")
+	d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false")
 	defer d.Stop(t)
 
 	apiClient := d.NewClientT(t)
@@ -261,7 +261,7 @@ func TestHardRestartWhenContainerIsRunning(t *testing.T) {
 		})
 	}
 
-	d.Start(t, "--iptables=false")
+	d.Start(t, "--iptables=false", "--ip6tables=false")
 
 	t.Run("RestartPolicy=none", func(t *testing.T) {
 		ctx := testutil.StartSpan(ctx, t)

diff --git a/integration/container/daemon_test.go b/integration/container/daemon_test.go
@@ -26,7 +26,7 @@ func TestContainerKillOnDaemonStart(t *testing.T) {
 	d := daemon.New(t)
 	defer d.Cleanup(t)
 
-	d.StartWithBusybox(ctx, t, "--iptables=false")
+	d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false")
 	defer d.Stop(t)
 
 	apiClient := d.NewClientT(t)
@@ -44,7 +44,7 @@ func TestContainerKillOnDaemonStart(t *testing.T) {
 	assert.Assert(t, inspect.State.Running)
 
 	assert.NilError(t, d.Kill())
-	d.Start(t, "--iptables=false")
+	d.Start(t, "--iptables=false", "--ip6tables=false")
 
 	inspect, err = apiClient.ContainerInspect(ctx, id)
 	assert.Check(t, is.Nil(err))

diff --git a/integration/container/restart_test.go b/integration/container/restart_test.go
@@ -85,7 +85,7 @@ func TestDaemonRestartKillContainers(t *testing.T) {
 					d := daemon.New(t)
 					apiClient := d.NewClientT(t)
 
-					args := []string{"--iptables=false"}
+					args := []string{"--iptables=false", "--ip6tables=false"}
 					if liveRestoreEnabled {
 						args = append(args, "--live-restore")
 					}

diff --git a/integration/daemon/daemon_test.go b/integration/daemon/daemon_test.go
@@ -40,7 +40,7 @@ func TestConfigDaemonID(t *testing.T) {
 	d := daemon.New(t)
 	defer d.Stop(t)
 
-	d.Start(t, "--iptables=false")
+	d.Start(t, "--iptables=false", "--ip6tables=false")
 	info := d.Info(t)
 	assert.Check(t, info.ID != "")
 	d.Stop(t)
@@ -54,7 +54,7 @@ func TestConfigDaemonID(t *testing.T) {
 	err := os.WriteFile(idFile, []byte(engineID), 0o644)
 	assert.NilError(t, err)
 
-	d.Start(t, "--iptables=false")
+	d.Start(t, "--iptables=false", "--ip6tables=false")
 	info = d.Info(t)
 	assert.Equal(t, info.ID, engineID)
 	d.Stop(t)
@@ -212,7 +212,7 @@ func TestDaemonProxy(t *testing.T) {
 		))
 		c := d.NewClientT(t)
 
-		d.Start(t, "--iptables=false")
+		d.Start(t, "--iptables=false", "--ip6tables=false")
 		defer d.Stop(t)
 
 		info := d.Info(t)
@@ -248,7 +248,7 @@ func TestDaemonProxy(t *testing.T) {
 			"no_proxy=ignore.invalid",
 			"OTEL_EXPORTER_OTLP_ENDPOINT=", // To avoid OTEL hitting the proxy.
 		))
-		d.Start(t, "--iptables=false", "--http-proxy", proxyServer.URL, "--https-proxy", proxyServer.URL, "--no-proxy", "example.com")
+		d.Start(t, "--iptables=false", "--ip6tables=false", "--http-proxy", proxyServer.URL, "--https-proxy", proxyServer.URL, "--no-proxy", "example.com")
 		defer d.Stop(t)
 
 		c := d.NewClientT(t)
@@ -305,7 +305,7 @@ func TestDaemonProxy(t *testing.T) {
 		configJSON := fmt.Sprintf(`{"proxies":{"http-proxy":%[1]q, "https-proxy": %[1]q, "no-proxy": "example.com"}}`, proxyServer.URL)
 		assert.NilError(t, os.WriteFile(configFile, []byte(configJSON), 0o644))
 
-		d.Start(t, "--iptables=false", "--config-file", configFile)
+		d.Start(t, "--iptables=false", "--ip6tables=false", "--config-file", configFile)
 		defer d.Stop(t)
 
 		info := d.Info(t)
@@ -370,7 +370,7 @@ func TestDaemonProxy(t *testing.T) {
 		d := daemon.New(t, daemon.WithEnvVars(
 			"OTEL_EXPORTER_OTLP_ENDPOINT=", // To avoid OTEL hitting the proxy.
 		))
-		d.Start(t, "--iptables=false", "--http-proxy", proxyRawURL, "--https-proxy", proxyRawURL, "--no-proxy", "example.com")
+		d.Start(t, "--iptables=false", "--ip6tables=false", "--http-proxy", proxyRawURL, "--https-proxy", proxyRawURL, "--no-proxy", "example.com")
 		defer d.Stop(t)
 		err := d.Signal(syscall.SIGHUP)
 		assert.NilError(t, err)
@@ -398,7 +398,7 @@ func testLiveRestoreAutoRemove(t *testing.T) {
 
 	run := func(t *testing.T) (*daemon.Daemon, func(), string) {
 		d := daemon.New(t)
-		d.StartWithBusybox(ctx, t, "--live-restore", "--iptables=false")
+		d.StartWithBusybox(ctx, t, "--live-restore", "--iptables=false", "--ip6tables=false")
 		t.Cleanup(func() {
 			d.Stop(t)
 			d.Cleanup(t)
@@ -425,7 +425,7 @@ func testLiveRestoreAutoRemove(t *testing.T) {
 	t.Run("engine restart shouldnt kill alive containers", func(t *testing.T) {
 		d, finishContainer, cID := run(t)
 
-		d.Restart(t, "--live-restore", "--iptables=false")
+		d.Restart(t, "--live-restore", "--iptables=false", "--ip6tables=false")
 
 		apiClient := d.NewClientT(t)
 		_, err := apiClient.ContainerInspect(ctx, cID)
@@ -450,7 +450,7 @@ func testLiveRestoreAutoRemove(t *testing.T) {
 		finishContainer()
 		poll.WaitOn(t, process.NotAlive(pid))
 
-		d.Start(t, "--live-restore", "--iptables=false")
+		d.Start(t, "--live-restore", "--iptables=false", "--ip6tables=false")
 
 		poll.WaitOn(t, container.IsRemoved(ctx, apiClient, cID))
 	})
@@ -461,7 +461,7 @@ func testLiveRestoreVolumeReferences(t *testing.T) {
 	ctx := testutil.StartSpan(baseContext, t)
 
 	d := daemon.New(t)
-	d.StartWithBusybox(ctx, t, "--live-restore", "--iptables=false")
+	d.StartWithBusybox(ctx, t, "--live-restore", "--iptables=false", "--ip6tables=false")
 	defer func() {
 		d.Stop(t)
 		d.Cleanup(t)
@@ -486,7 +486,7 @@ func testLiveRestoreVolumeReferences(t *testing.T) {
 			defer c.ContainerRemove(ctx, cID, containertypes.RemoveOptions{Force: true})
 
 			// Stop the daemon
-			d.Restart(t, "--live-restore", "--iptables=false")
+			d.Restart(t, "--live-restore", "--iptables=false", "--ip6tables=false")
 
 			// Try to remove the volume
 			err = c.VolumeRemove(ctx, volName, false)
@@ -544,7 +544,7 @@ func testLiveRestoreVolumeReferences(t *testing.T) {
 			return poll.Success()
 		})
 
-		d.Restart(t, "--live-restore", "--iptables=false")
+		d.Restart(t, "--live-restore", "--iptables=false", "--ip6tables=false")
 
 		// Try to remove the volume
 		// This should fail since its used by a container
@@ -599,7 +599,7 @@ func testLiveRestoreVolumeReferences(t *testing.T) {
 		cID := container.Run(ctx, t, c, container.WithMount(m), container.WithCmd("top"))
 		defer c.ContainerRemove(ctx, cID, containertypes.RemoveOptions{Force: true})
 
-		d.Restart(t, "--live-restore", "--iptables=false")
+		d.Restart(t, "--live-restore", "--iptables=false", "--ip6tables=false")
 
 		err := c.ContainerRemove(ctx, cID, containertypes.RemoveOptions{Force: true})
 		assert.NilError(t, err)

diff --git a/integration/image/import_test.go b/integration/image/import_test.go
@@ -29,7 +29,7 @@ func TestImportExtremelyLargeImageWorks(t *testing.T) {
 
 	// Spin up a new daemon, so that we can run this test in parallel (it's a slow test)
 	d := daemon.New(t)
-	d.Start(t, "--iptables=false")
+	d.Start(t, "--iptables=false", "--ip6tables=false")
 	defer d.Stop(t)
 
 	client := d.NewClientT(t)