Information
The docker daemon starts a userland proxy service for port forwarding whenever a port is
exposed. Where hairpin NAT is available, this service is generally superfluous to
requirements and can be disabled.Docker engine provides two mechanisms for forwarding ports from the host to containers,
hairpin NAT, and a userland proxy. In most circumstances, the hairpin NAT mode is
preferred as it improves performance and makes use of native Linux iptables functionality
instead of an additional component.Where hairpin NAT is available, the userland proxy should be disabled on startup to reduce
the attack surface of the installation.
Solution
Run the Docker daemon as below-dockerd --userland-proxy=falseImpact-Some systems with older Linux kernels may not be able to support hairpin NAT and
therefore require the userland proxy service. Also, some networking setups can be
impacted by the removal of the userland proxy.Default Value-By default, the userland proxy is enabled.