Usernet Portmap Natunprot - Moby

Container on a nat-unprotected network, with a published port

Running the daemon with the userland proxy disable then, as before, adding a network running a container with a mapped port, equivalent to:

docker network create \
  -o com.docker.network.bridge.name=bridge1 \
  -o com.docker.network.bridge.gateway_mode_ipv4=nat-unprotected \
  --subnet 192.0.2.0/24 --gateway 192.0.2.1 bridge1
docker run --network bridge1 -p 8080:80 --name c1 busybox

The filter table is:

{{index . "LFilter4"}}

<details> <summary>iptables commands</summary>

{{index . "SFilter4"}}

</details>

Differences from nat mode:

In the DOCKER chain:
- Where nat mode appended a default-DROP rule for any packets not accepted by the per-port/protocol rules, nat-unprotected appends a default-ACCEPT rule. setDefaultForwardRule
  - The ACCEPT rule is needed in case the filter-FORWARD chain's default policy is DROP.
- Because the default for this network is ACCEPT, there is no per-port/protocol rule to ACCEPT packets for the published port 80/tcp, setPerPortIptables doesn't set it up.
  - If the userland proxy is enabled, it is still started.

The nat table is identical to nat mode.

<details> <summary>nat table</summary>

{{index . "LNat4"}}

{{index . "SNat4"}}

</details>