That's a good question actually. Given the complexity and power of iptables and nftables (which is the reason UFW, firewalld and the like exist) I'd guess probably not. Trying to determine if a rule on another chain (or really a combination of rules across a combination of chains) changes the behavior of one of yours would be... challenging. I suspect the best it could do reliably is detect that rules in other chains exist and warn about that, but that's also a pretty common case. Pretty much every VPS in a cloud would have this warning for example.
Personally I think the real problem here is docker. Injecting rules into iptables is a bit like blindly injecting lines of code into someone else's program sight unseen. I'm not aware of any other tools that are nearly so willing to do so.
Volundr|3 years ago
Personally I think the real problem here is docker. Injecting rules into iptables is a bit like blindly injecting lines of code into someone else's program sight unseen. I'm not aware of any other tools that are nearly so willing to do so.