From 863ca3f1855048bec370a444e475760ac33991ae Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Mon, 11 Jul 2022 09:48:18 +0900
Subject: [PATCH] libnetwork: skip firewalld management for rootless

Fix issue 43781

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 9464898b474ec3a4c49314169fa9c36320d3135e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 libnetwork/iptables/iptables.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libnetwork/iptables/iptables.go b/libnetwork/iptables/iptables.go
index 51a3e2bdc2..3fc70c9f6c 100644
--- a/libnetwork/iptables/iptables.go
+++ b/libnetwork/iptables/iptables.go
@@ -14,6 +14,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/docker/docker/rootless"
 	"github.com/sirupsen/logrus"
 )
 
@@ -105,6 +106,12 @@ func probe() {
 }
 
 func initFirewalld() {
+	// When running with RootlessKit, firewalld is running as the root outside our network namespace
+	// https://github.com/moby/moby/issues/43781
+	if rootless.RunningWithRootlessKit() {
+		logrus.Info("skipping firewalld management for rootless mode")
+		return
+	}
 	if err := FirewalldInit(); err != nil {
 		logrus.Debugf("Fail to initialize firewalld: %v, using raw iptables instead", err)
 	}