- On the working node of docker swarm, it is found that too many iptables rules have been added, and many of them are useless (it can be confirmed that some ports are no longer in use with containers), and there are duplicates (it can be confirmed that there are many duplicate rules without difference), as follows:
$ sudo iptables -t nat -L -n --line-numbers -v
......
2483 0 0 MASQUERADE tcp -- * * 192.168.0.33 192.168.0.33 tcp dpt:14129
2484 0 0 MASQUERADE tcp -- * * 192.168.0.17 192.168.0.17 tcp dpt:14129
2485 0 0 MASQUERADE tcp -- * * 192.168.0.22 192.168.0.22 tcp dpt:14129
2486 0 0 MASQUERADE tcp -- * * 192.168.0.23 192.168.0.23 tcp dpt:14129
2487 0 0 MASQUERADE tcp -- * * 192.168.0.23 192.168.0.23 tcp dpt:14129
2488 0 0 MASQUERADE tcp -- * * 192.168.0.23 192.168.0.23 tcp dpt:14129
2489 0 0 MASQUERADE tcp -- * * 192.168.0.23 192.168.0.23 tcp dpt:14129
2490 0 0 MASQUERADE tcp -- * * 192.168.0.23 192.168.0.23 tcp dpt:14129
......
2484 2009 121K DNAT tcp -- ! docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3504 to:192.168.0.17:14129
2485 18991 1139K DNAT tcp -- ! docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3505 to:192.168.0.22:14129
2486 1333 79980 DNAT tcp -- ! docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3506 to:192.168.0.23:14129
2487 5309 319K DNAT tcp -- ! docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3507 to:192.168.0.23:14129
2488 3843 231K DNAT tcp -- ! docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3508 to:192.168.0.23:14129
2489 3360 202K DNAT tcp -- ! docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3509 to:192.168.0.23:14129
2490 64 3840 DNAT tcp -- ! docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3510 to:192.168.0.23:14129
- I think docker should automatically remove useless rules after the container is deleted, why not?
- Is it also related to the iptables version? The most problematic version is iptables v1.4.7, and the version with no obvious problems (that is to say, not many rules are exactly the number of containers and there are no duplicates) is iptables v1.4.21.
- Have you encountered the same problem? This problem may cause more serious problems, such as port conflicts, 5000 ports on the host computer, which are mistakenly led to the container by iptabls rules.
Answer reference:My blog, should be related to iptables version, upgrade to v1.4.21, and useless rules can be automatically cleared.