Skip to content

daemon/libnetwork: make libnftables opt-in only#52886

Merged
thaJeztah merged 1 commit into
moby:masterfrom
corhere:libnftables-opt-in
Jun 16, 2026
Merged

daemon/libnetwork: make libnftables opt-in only#52886
thaJeztah merged 1 commit into
moby:masterfrom
corhere:libnftables-opt-in

Conversation

@corhere

@corhere corhere commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

As libnftables uses select(2) on the netlink socket the process is aborted if the socket's file descriptor is >= 1024. A dockerd process could easily exceed 1024 open file descriptors at a time under normal circumstances, so there is a risk of libnftables killing dockerd at a random time through no fault of dockerd. Default to programming nftables rulesets by exec'ing nft -f until libnftables is updated to be compatible with processes that open a large number of file descriptors by using poll(2) or epoll(2) instead of select(2).

Release notes (optional)

- Mitigate a crash in libnftables when using nftables as the firewall backend by changing the default build option to execute the `nft` command instead. Users building dockerd from source can opt into linking against libnftables by building with the `libnftables` build tag.

A picture of a cute animal (not mandatory but encouraged)

@corhere
daemon/libnetwork: make libnftables opt-in only
b6c02b9 
As libnftables uses `select(2)` on the netlink socket the process is
aborted if the socket's file descriptor is >= 1024. A dockerd process
could easily exceed 1024 open file descriptors at a time under normal
circumstances, so there is a risk of libnftables killing dockerd at a
random time through no fault of dockerd. Default to programming nftables
rulesets by exec'ing `nft -f` until libnftables is updated to be
compatible with processes that open a large number of file descriptors
by using `poll(2)` or `epoll(2)` instead of `select(2)`.

Signed-off-by: Cory Snider <csnider@mirantis.com>
@corhere corhere added this to the 29.6.0 milestone Jun 15, 2026
@corhere corhere requested review from robmry, thaJeztah and vvoland June 15, 2026 18:27
@github-actions github-actions Bot added area/networking Networking area/daemon Core Engine labels Jun 15, 2026
thaJeztah
thaJeztah approved these changes Jun 16, 2026
View reviewed changes

@thaJeztah thaJeztah left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah

thaJeztah commented Jun 16, 2026

Copy link
Copy Markdown
Member

Do we need a tracking-ticket to re-enable it once fixed upstream? Mostly considering that I think our intent was to do the exact reverse, and not depend on the binary.

@thaJeztah thaJeztah merged commit b9e83fa into moby:master Jun 16, 2026
668 of 683 checks passed
@corhere

corhere commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Do we need a tracking-ticket to re-enable it once fixed upstream?

Yes, that's a good idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@vvoland vvoland vvoland approved these changes

@robmry robmry robmry approved these changes

Assignees

No one assigned

Labels

area/daemon Core Engine area/networking/firewalling Networking area/networking Networking impact/changelog kind/bugfix PR's that fix bugs

Projects

None yet

Milestone

29.6.0

Development

Successfully merging this pull request may close these issues.

dockerd crashes with SIGABRT due to libnftables select() / FD_SETSIZE overflow when fd >= 1024

4 participants

@corhere @thaJeztah @vvoland @robmry