nftables: adds information regarding nftables and Docker (#24326)

NixOS · Mar 25, 2017 · dc10688 · dc10688
1 parent f087b75
commit dc10688
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix
@@ -17,6 +17,17 @@ in
 
           This conflicts with the standard networking firewall, so make sure to
           disable it before using nftables.
+
+          Note that if you have Docker enabled you will not be able to use
+          nftables without intervention. Docker uses iptables internally to
+          setup NAT for containers. This module disables the ip_tables kernel
+          module, however Docker automatically loads the module. Please see [1]
+          for more information.
+
+          There are other programs that use iptables internally too, such as
+          libvirt.
+
+          [1]: https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273
         '';
     };
     networking.nftables.ruleset = mkOption {