You are not logged in.
Docker does not seem to have networking set up properly. Attempting to pull an image fails:
$ docker pull archlinux
Using default tag: latest
Error response from daemon: failed to resolve reference "docker.io/library/archlinux:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/archlinux/manifests/latest": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolutionInstalled packages:
$ sudo pacman -Q | grep -Ei "iptables|nftables|docker"
docker 1:29.5.1-1
iptables-legacy 1:1.8.13-1
nftables 1:1.1.6-3Network interfaces. wlan0 is the name of the inferface with internet access.
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 04:42:1a:86:ad:8d brd ff:ff:ff:ff:ff:ff
altname enx04421a86ad8d
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 64:49:7d:c1:2a:69 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.2/24 brd 192.168.0.255 scope global dynamic noprefixroute wlan0
valid_lft 37833sec preferred_lft 37833sec
inet6 fe80::1fb8:aeb8:61a8:3bcc/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: virbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb state DOWN group default qlen 1000
link/ether 52:54:00:5d:5d:da brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr1
valid_lft forever preferred_lft forever
5: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb state DOWN group default qlen 1000
link/ether 52:54:00:bf:59:31 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.1/24 brd 10.0.2.255 scope global virbr0
valid_lft forever preferred_lft forever
23: docker0@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 46:bc:3e:13:50:09 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.0.1/24 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::44bc:3eff:fe13:5009/64 scope link proto kernel_ll
valid_lft forever preferred_lft foreverNftables configuration. In the postrouting table interface wlan0 is used.
$ cat /etc/nftables.conf
destroy table inet filter
table inet filter {
chain input {
type filter hook input priority filter
policy drop
iifname "virbr0" udp dport { 53, 67 } counter accept
iifname "virbr1" udp dport { 53, 67 } counter accept
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iif lo accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter
}
chain forward {
type filter hook forward priority filter
policy drop
iifname "virbr0" accept comment "allow libvirt VM packet forwarding"
oifname "virbr0" accept comment "allow libvirt VM packet forwarding"
iifname docker0 accept
oifname docker0 accept
}
chain postrouting {
type nat hook postrouting priority srcnat
policy accept
iifname docker0 oifname wlan0 masquerade
}
}Contents of /etc/systemd/system/docker.service.d/netns.conf as instructed by wiki page.
$ cat /etc/systemd/system/docker.service.d/netns.conf
[Service]
PrivateNetwork=yes
PrivateMounts=No
# cleanup
ExecStartPre=-nsenter -t 1 -n -- ip link delete docker0
# add veth
ExecStartPre=nsenter -t 1 -n -- ip link add docker0 type veth peer name docker0_ns
ExecStartPre=sh -c 'nsenter -t 1 -n -- ip link set docker0_ns netns "$$BASHPID" && true'
ExecStartPre=ip link set docker0_ns name eth0
# bring host online
ExecStartPre=nsenter -t 1 -n -- ip addr add 10.0.0.1/24 dev docker0
ExecStartPre=nsenter -t 1 -n -- ip link set docker0 up
# bring ns online
ExecStartPre=ip addr add 10.0.0.100/24 dev eth0
ExecStartPre=ip link set eth0 up
ExecStartPre=ip route add default via 10.0.0.1 dev eth0Output of nftables ruleset:
$ sudo nft list ruleset
table ip libvirt_network {
comment "Managed by libvirt for virtual networks: https://libvirt.org/firewall.html#the-virtual-network-driver"
chain forward {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump guest_cross
counter packets 0 bytes 0 jump guest_input
counter packets 0 bytes 0 jump guest_output
}
chain guest_output {
ip saddr 10.0.2.0/24 iif "virbr0" counter packets 0 bytes 0 accept
iif "virbr0" counter packets 0 bytes 0 reject
iif "virbr1" counter packets 0 bytes 0 reject
}
chain guest_input {
oif "virbr0" ip daddr 10.0.2.0/24 ct state established,related counter packets 0 bytes 0 accept
oif "virbr0" counter packets 0 bytes 0 reject
oif "virbr1" counter packets 0 bytes 0 reject
}
chain guest_cross {
iif "virbr0" oif "virbr0" counter packets 0 bytes 0 accept
iif "virbr1" oif "virbr1" counter packets 0 bytes 0 accept
}
chain guest_nat {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.0.2.0/24 ip daddr 224.0.0.0/24 counter packets 1 bytes 40 return
ip saddr 10.0.2.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
meta l4proto tcp ip saddr 10.0.2.0/24 ip daddr != 10.0.2.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
meta l4proto udp ip saddr 10.0.2.0/24 ip daddr != 10.0.2.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
ip saddr 10.0.2.0/24 ip daddr != 10.0.2.0/24 counter packets 0 bytes 0 masquerade
}
}
table ip6 libvirt_network {
comment "Managed by libvirt for virtual networks: https://libvirt.org/firewall.html#the-virtual-network-driver"
chain forward {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump guest_cross
counter packets 0 bytes 0 jump guest_input
counter packets 0 bytes 0 jump guest_output
}
chain guest_output {
}
chain guest_input {
}
chain guest_cross {
}
chain guest_nat {
type nat hook postrouting priority srcnat; policy accept;
}
}
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
iifname "virbr0" ip saddr 10.0.2.37 tcp dport { 8080-8090, 25333, 32768-60999 } counter packets 0 bytes 0 accept
iifname "virbr0" udp dport { 53, 67 } counter packets 0 bytes 0 accept
iifname "virbr1" udp dport { 53, 67 } counter packets 0 bytes 0 accept
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iif "lo" accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
meta pkttype host limit rate 5/second burst 5 packets counter packets 0 bytes 0 reject with icmpx admin-prohibited
counter packets 65 bytes 18283
}
chain forward {
type filter hook forward priority filter; policy drop;
iifname "virbr0" accept comment "allow libvirt VM packet forwarding"
oifname "virbr0" accept comment "allow libvirt VM packet forwarding"
iifname "docker0" accept
oifname "docker0" accept
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
iifname "docker0" oifname "wlan0" masquerade
}
}Docker daemon configuration
$ cat /etc/docker/daemon.json
{
"dns": ["1.1.1.1", "8.8.8.8"]
}Last edited by paperlunch (2026-05-24 07:50:19)
Offline