iptables not working on docker arm64 alpine

[madhavajay]

Is this a bug report, feature (enhancement) request or question? (leave only one on its own line)

Bug

Description:
Firstly, this is awesome work so thank you so so so much.
I have been able to use this to run our x86 docker stack in platform linux/arm64 mode with emulation and for the most part everything works and all my tests pass.

We have an integration test which checks if certain ports are open that get blocked by a bunch of iptable rules, but it seems like running iptables just causes an error.

/tailscale # iptables -L
iptables v1.8.7 (legacy): can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I am currently using several Alpine images and it fails on all of them:

FROM tailscale/tailscale:v1.20.4
FROM headscale/headscale:0.14.0-alpine
FROM traefik:v2.5

Steps to reproduce the issue:

1. On x86 Run these two commands:

$ docker run --privileged --rm tonistiigi/binfmt --install arm64
$ docker run --rm --privileged multiarch/qemu-user-static --reset -p yes

$ docker run --platform linux/arm64 -it traefik:v2.5 ash

Inside the container install iptables
/ # apk add iptables

Try running it:
/ # iptables -L

Describe the results you received:

iptables v1.8.7 (legacy): can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Describe the results you expected:

iptables to work

Environment:

• QEMU version: (if you can know it):
• Container application: Docker/Podman/Singularity (Leave only one)

Output of docker version, podman version or singularity version

This happens on my MacOS Intel Macbook Pro as well as on our Linux Ubuntu x86 machines.

docker version                          
Client:
 Cloud integration: v1.0.23
 Version:           20.10.14
 API version:       1.41
 Go version:        go1.16.15
 Git commit:        a224086
 Built:             Thu Mar 24 01:49:20 2022
 OS/Arch:           darwin/amd64
 Context:           default
 Experimental:      true

Server: Docker Desktop 4.7.1 (77678)
 Engine:
  Version:          20.10.14
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.15
  Git commit:       87a90dc
  Built:            Thu Mar 24 01:46:14 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.5.11
  GitCommit:        3df54a852345ae127d1fa3092b95168e4a88e2f8
 runc:
  Version:          1.0.3
  GitCommit:        v1.0.3-0-gf46b6ba
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

(paste your output here)

**Additional information optionally:**
Are these related:
https://serverfault.com/questions/1059106/cant-initialize-iptables-table-nat-under-qemu
https://unix.stackexchange.com/questions/214039/qemu-aarch64-and-networking-connections

[Paraphraser]

I'm having a similar problem. Completely by accident (no science, no theory) I stumbled across a solution which was to replace iptables commands with iptables-nft commands. Instant fix!

What I'm trying to figure out now is whether iptables-nft will always work, or if there are some situations where it's necessary to stick with iptables.

The worst thing about this problem is its silent nature. It'd be great if iptable would throw an error if it wasn't going to implement a rule.

See zyclonite/zerotier-docker/issues/10.

[madhavajay]

@Paraphraser thats awesome, I will give that a shot!