Switch over to xtables-legacy when nf_tables module isn't available

PR docker-library#461 updated Alpine to 3.19 and made a change to load the nf_tables
kernel module if needed. However, as demonstrated by docker-library#463 and docker-library#464 this
might break when the host system doesn't have the nf_tables module
available. In that case, we should still try to load the ip_tables
module and symlink /sbin/iptables to xtables-legacy-multi.

Signed-off-by: Albin Kerouanton <[email protected]>

Dockerfile-dind.template

@@ -9,6 +9,9 @@ RUN set -eux; \
 		e2fsprogs-extra \
 		ip6tables \
 		iptables \
+# dind might be used on systems where the nf_tables kernel module isn't available. In that case,
+# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463
+		iptables-legacy \
 		openssl \
 		shadow-uidmap \
 		xfsprogs \

dockerd-entrypoint.sh

@@ -143,12 +143,22 @@ if [ "$1" = 'dockerd' ]; then
 	# XXX inject "docker-init" (tini) as pid1 to workaround https://github.com/docker-library/docker/issues/318 (zombie container-shim processes)
 	set -- docker-init -- "$@"
 
+	use_xtables_legacy=false
 	if ! iptables -nL > /dev/null 2>&1; then
 		# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example)
 		# https://github.com/docker-library/docker/issues/350
 		# https://github.com/moby/moby/issues/26824
 		# https://github.com/docker-library/docker/pull/437#issuecomment-1854900620
-		modprobe nf_tables || :
+		if ! modprobe nf_tables; then
+			modprobe ip_tables || :
+			use_xtables_legacy=true
+		fi
+	fi
+	if [ "$use_xtables_legacy" = "true" ]; then
+		ln -fs /sbin/iptables-legacy /sbin/iptables
+		# iptables-restore and iptables-save aren't used by dockerd currently, but let's not ship a half broken image.
+		ln -fs /sbin/iptables-legacy-restore /sbin/iptables-restore
+		ln -fs /sbin/iptables-legacy-save /sbin/iptables-save
 	fi
 
 	uid="$(id -u)"