Docker swarm has added too many iptables rules, and there are many repetitions. What should I do?

  docker, question
  • On the working node of docker swarm, it is found that too many iptables rules have been added, and many of them are useless (it can be confirmed that some ports are no longer in use with containers), and there are duplicates (it can be confirmed that there are many duplicate rules without difference), as follows:
$ sudo iptables -t nat -L -n --line-numbers  -v
 ......
 2483     0     0 MASQUERADE  tcp  --  *      *       192.168.0.33         192.168.0.33         tcp dpt:14129
 2484     0     0 MASQUERADE  tcp  --  *      *       192.168.0.17         192.168.0.17         tcp dpt:14129
 2485     0     0 MASQUERADE  tcp  --  *      *       192.168.0.22         192.168.0.22         tcp dpt:14129
 2486     0     0 MASQUERADE  tcp  --  *      *       192.168.0.23         192.168.0.23         tcp dpt:14129
 2487     0     0 MASQUERADE  tcp  --  *      *       192.168.0.23         192.168.0.23         tcp dpt:14129
 2488     0     0 MASQUERADE  tcp  --  *      *       192.168.0.23         192.168.0.23         tcp dpt:14129
 2489     0     0 MASQUERADE  tcp  --  *      *       192.168.0.23         192.168.0.23         tcp dpt:14129
 2490     0     0 MASQUERADE  tcp  --  *      *       192.168.0.23         192.168.0.23         tcp dpt:14129
 ......
 2484  2009  121K DNAT       tcp  --  !  docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3504 to:192.168.0.17:14129
 2485 18991 1139K DNAT       tcp  --  !  docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3505 to:192.168.0.22:14129
 2486  1333 79980 DNAT       tcp  --  !  docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3506 to:192.168.0.23:14129
 2487  5309  319K DNAT       tcp  --  !  docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3507 to:192.168.0.23:14129
 2488  3843  231K DNAT       tcp  --  !  docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3508 to:192.168.0.23:14129
 2489  3360  202K DNAT       tcp  --  !  docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3509 to:192.168.0.23:14129
 2490    64  3840 DNAT       tcp  --  !  docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3510 to:192.168.0.23:14129
  • I think docker should automatically remove useless rules after the container is deleted, why not?
  • Is it also related to the iptables version? The most problematic version is iptables v1.4.7, and the version with no obvious problems (that is to say, not many rules are exactly the number of containers and there are no duplicates) is iptables v1.4.21.
  • Have you encountered the same problem? This problem may cause more serious problems, such as port conflicts, 5000 ports on the host computer, which are mistakenly led to the container by iptabls rules.

Answer reference:My blog, should be related to iptables version, upgrade to v1.4.21, and useless rules can be automatically cleared.