[Firehol-support] Docker 1.7

Phil Whineray phil at sanewall.org
Tue Jun 23 08:08:45 CEST 2015


Hi Rudy

On Tue, Jun 23, 2015 at 12:06:33AM +0800, Rudi wrote:
> Since upgrading from Docker 1.6 to 1.7 the linked containers cannot talk to
> each other.
> 
> This is a syslog entry for the blocked traffic (which started at docker 1.7)
> 
> Jun 22 15:46:57 vbox kernel: [21511.434348] PASS-unknown:IN=docker0
> OUT=docker0 PHYSIN=vethee039e3 PHYSOUT=vethcf08163
> MAC=02:42:ac:11:00:01:02:42:ac:11:00:02:08:00 SRC=172.1
> 7.0.2 DST=172.17.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=34212 DF
> PROTO=ICMP TYPE=8 CODE=0 ID=14 SEQ=1

This is bridged traffic - the giveaway is the presence of PHYSIN and
PHYSOUT, combined with IN being the same as OUT.

> I don't fully understand the log entry above but I think now I need to add
> a router rule(s) for docker container networking.

Yes, you are correct.

> Using Docker 1.6 (and below) no router needed, does it look like with
> Docker 1.7 I need one now?

Not sure why it worked before unless Docker was inserting its own
iptables statements or was disabling the forwarding of bridged traffic
to netfilter (there is a kernel variable for that).

Anyway, to follow your existing setup, this rule should work:

router inface "${docker_interface}" outface "${docker_interface}"
    policy accept

Hope that helps

Phil


More information about the Firehol-support mailing list