docker network_error ai_generated partial

docker:守护进程响应错误:驱动在端点 container_name 上编程外部连接失败:(iptables 失败:iptables --wait -t nat -A DOCKER ! -i docker0 -p tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80 -m comment --comment "..." 失败:iptables:没有该名称的链/目标/匹配。)

docker: Error response from daemon: driver failed programming external connectivity on endpoint container_name: (iptables failed: iptables --wait -t nat -A DOCKER ! -i docker0 -p tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80 -m comment --comment "..." failed: iptables: No chain/target/match by that name.)

ID: docker/port-mapping-ipv6-only

其他格式: JSON · Markdown 中文 · English
80%修复率
86%置信度
1证据数
2024-11-05首次发现

版本兼容性

版本状态引入弃用备注
Docker 20.10.24 active
Docker 24.0.5 active
Docker 25.0.1 active

根因分析

Docker 的 iptables 规则插入失败,因为 nat 表中的 DOCKER 链不存在,通常是由于在禁用 IPv6 或防火墙策略配置错误的系统上,Docker 被配置为使用 ip6tables 而不是 iptables。

English

Docker's iptables rule insertion fails because the DOCKER chain in the nat table does not exist, often due to Docker being configured to use ip6tables instead of iptables on systems with IPv6 disabled or misconfigured firewall policies.

generic

官方文档

https://docs.docker.com/network/iptables/

解决方案

  1. 确保 iptables 内核模块已加载后重启 Docker 守护进程:'sudo modprobe iptable_nat && sudo modprobe iptable_filter',然后 'sudo systemctl restart docker'。
  2. 如果主机上禁用了 IPv6,通过向 /etc/docker/daemon.json 添加 '{"ip6tables": false}' 来配置 Docker 仅使用 IPv4,然后重启 Docker。
  3. 完全重置 Docker 的网络状态:'sudo systemctl stop docker','sudo rm -rf /var/lib/docker/network',然后 'sudo systemctl start docker'。这将强制 Docker 重新创建所有网络链。

无效尝试

常见但无效的做法:

  1. 70% 失败

    Flushing all rules removes the DOCKER chain entirely, which is the root cause; Docker will fail to recreate it if the underlying issue (e.g., missing kernel module) persists.

  2. 40% 失败

    This disables all port mapping and network isolation, breaking container connectivity; it is not a fix but a workaround that cripples networking.

  3. 50% 失败

    While this may temporarily fix the error, Docker expects the chain to be created automatically; manual creation may conflict with Docker's internal state and cause instability.