It sounds like there is bridge firewalling going on. Basically out of the box it should go along the diagram you showed, but you can push bridged frames through netfilter by setting /proc/sys/net/bridge/bridge-nf-call-iptables to 1. Maybe the Docker does that behind the scenes. And maybe it is something other, but 10 years back we did transparent firewalling using this technique by filtering bridged traffic using iptables.
That's the setting I wanted to mention because I looked at it at the time, but couldn't remember it when making the video. I think I toggled it with no effect though.
Not gonna pretend I understand the depths of docker or networking on that level, but I didn't get why at the diagram at 4:06 it didn't get on to 'Forward Bridge' in the bridge layer when the request wasn't meant for the local process? Why did it hit the IP rules then? You didn't go into further detail there or I just didn't get it.
Did not know that you can just flush the whole ruleset. I guess I was just not paying attention, since basically everything that can be executed from a command line can be put into the config. nftables documentation sucks ass, not gonna lie.
@@TallPaulTech I was using Docker for some services in the past before switching to Proxmox and one annoying thing that Docker did is that if the interface went down for whatever reason, when it came back up it just got ignored and I had to manually restart it.
Honestly the more i use podman the more excited i am for it, i am so sorry that a professional networking guy has to suffer through the nonsense they do to iptables... 🤣
Docker is a cnut, I am a dumb cnut with docker, but following basic instructions I couldn't get docker containers access to the internet.... was a bigger problem with systemd-resolve (like wtf!) and ended up using --net=host to run containers. why does systemd need to fuck with DNS?!?! Argh!!