I don't proof-watch these things until I upload them, hence the unedited hocking up. You get that.

I always appreciate your videos, thanks for posting!

I really appreciate videos like these where you show your troubleshooting processes. Thanks man!!

I always learn something about networking when I watch these videos, even if it's just "Oh that's a thing I have to look into more deeply."

It sounds like there is bridge firewalling going on. Basically out of the box it should go along the diagram you showed, but you can push bridged frames through netfilter by setting /proc/sys/net/bridge/bridge-nf-call-iptables to 1. Maybe the Docker does that behind the scenes. And maybe it is something other, but 10 years back we did transparent firewalling using this technique by filtering bridged traffic using iptables.

That's why I really like LXC for things that can be done with it.

every system I have that runs Docker becomes a networking nightmare, it's very inconsiderate of ... basically everyone

I'm playing with docker in my home lab too and while it's cool I find it's networking pretty clunky out of the box.

Yeah, docker usually is a mess with firewall rules.

I can say that networking in docker sucks so much... Definitely designers didn't consult with network engineers xD

Honestly the more i use podman the more excited i am for it, i am so sorry that a professional networking guy has to suffer through the nonsense they do to iptables... 🤣

Not gonna pretend I understand the depths of docker or networking on that level, but I didn't get why at the diagram at 4:06 it didn't get on to 'Forward Bridge' in the bridge layer when the request wasn't meant for the local process? Why did it hit the IP rules then? You didn't go into further detail there or I just didn't get it.

Which Linux distro is this?

Did not know that you can just flush the whole ruleset. I guess I was just not paying attention, since basically everything that can be executed from a command line can be put into the config. nftables documentation sucks ass, not gonna lie.

Docker is a cnut, I am a dumb cnut with docker, but following basic instructions I couldn't get docker containers access to the internet.... was a bigger problem with systemd-resolve (like wtf!) and ended up using --net=host to run containers. why does systemd need to fuck with DNS?!?! Argh!!