Apply Docker iptables workaround

petrutlucian94 · petrutlucian94 · commit a81fc16e18f9 · 2025-04-01T16:04:58.000Z
diff --git a/.github/workflows/build-snap.yml b/.github/workflows/build-snap.yml
@@ -18,6 +18,24 @@ jobs:
           sudo lxd init --auto
           sudo usermod --append --groups lxd $USER
           sg lxd -c 'lxc version'
+      # Docker sets iptables rules that interfere with LXD.
+      # https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/#prevent-connectivity-issues-with-lxd-and-docker
+      - name: Apply Docker iptables workaround
+        shell: bash
+        run: |
+          set -x
+          ip a
+          ip r
+
+          bridges=('lxdbr0' 'dualstack-br0' 'ipv6-br0')
+          for i in ${bridges[@]}; do
+            set +e
+            sudo iptables  -I DOCKER-USER -i $i -j ACCEPT
+            sudo ip6tables -I DOCKER-USER -i $i -j ACCEPT
+            sudo iptables  -I DOCKER-USER -o $i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+            sudo ip6tables -I DOCKER-USER -o $i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+            set -e
+          done
       - name: Install snapcraft
         run: |
           sudo snap install snapcraft --classic
@@ -197,6 +215,24 @@ jobs:
           sudo lxc network set lxdbr0 ipv6.address=none
           sudo usermod --append --groups lxd $USER
           sg lxd -c 'lxc version'
+      # Docker sets iptables rules that interfere with LXD.
+      # https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/#prevent-connectivity-issues-with-lxd-and-docker
+      - name: Apply Docker iptables workaround
+        shell: bash
+        run: |
+          set -x
+          ip a
+          ip r
+
+          bridges=('lxdbr0' 'dualstack-br0' 'ipv6-br0')
+          for i in ${bridges[@]}; do
+            set +e
+            sudo iptables  -I DOCKER-USER -i $i -j ACCEPT
+            sudo ip6tables -I DOCKER-USER -i $i -j ACCEPT
+            sudo iptables  -I DOCKER-USER -o $i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+            sudo ip6tables -I DOCKER-USER -o $i -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+            set -e
+          done
       - name: Run airgap tests
         run: |
           sudo -E bash -x -c "./tests/libs/airgap.sh --distro ubuntu:22.04 --channel $PWD/build/microk8s.snap"
