Docker Daemon Networking Architecture
The Docker daemon does not hand networking off to a user-space proxy -- it wires it directly into the Linux kernel. This guide traces exactly how: network namespaces for isolation, veth pairs connecting containers to bridges, the iptables chains Docker inserts at startup, VXLAN encapsulation across Swarm hosts with precise MTU accounting, the embedded DNS resolver and the systemd-resolved namespace collision that silently kills external DNS in containers, and the Docker Engine 29 nftables backend that replaces DOCKER-USER with priority-based chain hooks. Includes driver comparison across bridge, overlay, macvlan, ipvlan, host, and none, plus an interactive packet journey diagram and a branching troubleshooting decision tree.
Docker Daemon Networking Architecture
How dockerd builds the network stack for every container it starts -- libnetwork, the Container Network Model, Linux bridges, veth pairs, iptables DNAT and MASQUERADE, VXLAN tunnels with exact byte-level overhead accounting, the embedded DNS server at 127.0.0.11, macvlan and ipvlan compared, and the complete daemon.json networking reference. Includes the Docker Engine 29 nftables backend and an interactive troubleshooting decision tree covering every failure mode from missing MASQUERADE rules to MTU fragmentation on overlay networks.
NetworkingTroubleshooting Container Firewall Conflicts
Docker and Podman rewrite packet destinations at the prerouting stage -- before any firewall filter rule evaluates -- which is why your firewalld zones and UFW rules have no effect on published container ports. Covers the Netavark firewalld-driver bypass of StrictForwardPorts, DOCKER-ISOLATION chain mechanics, the bridge-nf-call-iptables=0 silent failure, Docker Engine 29 nftables backend migration, rootless Podman DNAT behavior, and kube-proxy nftables GA in Kubernetes 1.33.
NetworkingLinux GTK WiFi: nm-applet, libnma, and the Tray Icon Problem Nobody Talks About
The full architecture of Linux WiFi under GTK -- from cfg80211 and nl80211 at the kernel layer up through wpa_supplicant vs iwd, NetworkManager 1.54, and nm-applet 1.36. Covers why your tray icon vanishes on Wayland, the XEmbed vs StatusNotifierItem split, the auto-SNI behavior change in nm-applet 1.32, the Debian package split, CVE-2025-9615, enterprise 802.1X with iwd provisioning files, and every nmcli command that replaces the GUI entirely.
NetworkingDocker and nftables: The End of the iptables Era
Docker Engine 29.0.0 shipped on November 10, 2025 with an opt-in nftables backend -- but migrating from iptables involves kernel semantics that no other guide fully addresses: why an nftables accept verdict is non-final, what that means for your custom rules, and exactly what breaks silently if you skip the IP forwarding step.
NetworkingDocker Failed to Query External DNS Server: What It Means and How to Fix It
The [resolver] failed to query external DNS server message explained from the inside out -- the systemd-resolved namespace collision, cloud VM resolver traps, iptables DNAT mechanics, CVE-2024-29018, and every verified fix from daemon.json to nftables backend conflicts.
tc and Traffic Shaping: A Practical Guide
tc is one of the most powerful tools in the Linux networking stack -- and one of the least understood. This guide cuts through the qdisc confusion, explains HTB properly, and gets you shaping traffic in ways that actually work in production.
Devops/NetworkingDocker Networking Without the Guesswork
Demystifying bridge, host, and overlay networks with real troubleshooting scenarios. Covers how containers actually resolve DNS, what happens inside the Linux kernel when a packet leaves a container, and a systematic playbook for debugging connectivity failures between services.
NetworkingUnderstanding Linux Routing Tables
Every packet that leaves your machine passes through the kernel's routing subsystem. Here is exactly how that works -- from the FIB trie data structure to policy routing rules, static routes, and the RPDB -- with the commands to read, manipulate, and debug it all.
Networkingip vs ifconfig: Why You Should Switch and How to Do It
net-tools saw its last significant development in 2001 and went dormant for nearly two decades. iproute2 uses a fundamentally different kernel interface, supports features net-tools cannot reach, and is what the rest of the Linux networking ecosystem runs on. Here is the full picture.
NetworkingDeep Dive into nftables: The iptables Successor
Why nftables replaced iptables, how to write rulesets, and a migration guide for anyone still running legacy firewall configurations.
NetworkingHow nftables Changes the Model
The nf_tables kernel subsystem that drives nftables has accumulated a documented pattern of local privilege escalation CVEs -- CVE-2024-1086 was actively exploited by RansomHub and Akira in ransomware campaigns, CVE-2024-26809 requires no unprivileged namespace at all, and CVE-2026-23231 landed in March 2026. Understanding why these vulnerabilities keep appearing requires understanding the architecture: complex memory management logic running in kernel space, RCU lifecycle coordination between control plane and data plane, and Netlink access reachable from user namespaces. Covers the kernel VM, inet family, sets and maps, flowtable fastpath, atomic transactions, nftrace debugging, and the full security hardening surface.
Networkingiptables-nft Compatibility Problems: Why Your Firewall Rules Disappear on Modern Linux
The incompatible table error, split-brain firewalls, Docker backend mismatches, chain priority collisions, libvirt breakage, and the kube-proxy nftables transition -- diagnosed and fixed. Includes a systematic debugging workflow, nft monitor trace usage, and a complete migration path to native nftables for fail2ban, Docker Engine 29, and Kubernetes 1.33.
NetworkingConfiguring nftables with Docker
Docker Engine 29 can create nftables rules directly instead of routing everything through the iptables-nft shim. This guide covers enabling the firewall-backend option in daemon.json, understanding how Docker's docker-bridges tables own their chains, writing custom forward rules that coexist with Docker without using flush ruleset, the bridge-accept-fwmark escape hatch for overriding Docker's drop verdicts, and clearing the residual iptables FORWARD DROP policy that silently breaks container connectivity after a backend switch.