8.1 WARNING: bridge-nf-call-iptables is disabled

Warning messages may be displayed by Docker Engine when a user performs some actions, such as running docker info if the system kernel on a host system is configured to disable the net.bridge.bridge-nf-call-iptables and net.bridge.bridge-nf-call-ip6tables options. For example, the user may see an error similar to:

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

This is expected behavior. These settings control whether packets traversing a network bridge are processed by iptables rules on the host system. Typically, enabling these options is not desirable as this can cause guest container traffic to be blocked by iptables rules that are intended for the host. This could cause unpredictable behavior for containers that do not expect traffic to be firewalled at the host level.

If you accept and understand the implications of enabling these options or you have no iptables rules set on the host, you can enable these options to remove the warning messages. To temporarily enable these options:

# sysctl net.bridge.bridge-nf-call-iptables=1
# sysctl net.bridge.bridge-nf-call-ip6tables=1

To make these options permanent, edit /etc/sysctl.conf and add the lines:

net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1