[Firehol-support] Docker 1.7

Rudi ooly.me at gmail.com
Tue Jun 23 08:32:54 BST 2015


Hi Phil,

Note: second reply includes email list.

Yep, that works perfect.

I actually also figured it out earlier today (the router policy), but your
reply plus an explanation on the bridged traffic is really helpful.

I couldn't find anything really helpful via google search so I turned to
the support list here.

I'll make a blog post "Firehol with Docker" or something to help others out
as well.

Thanks again!

On Tue, Jun 23, 2015 at 2:08 PM, Phil Whineray <phil at sanewall.org> wrote:

> Hi Rudy
>
> On Tue, Jun 23, 2015 at 12:06:33AM +0800, Rudi wrote:
> > Since upgrading from Docker 1.6 to 1.7 the linked containers cannot talk
> to
> > each other.
> >
> > This is a syslog entry for the blocked traffic (which started at docker
> 1.7)
> >
> > Jun 22 15:46:57 vbox kernel: [21511.434348] PASS-unknown:IN=docker0
> > OUT=docker0 PHYSIN=vethee039e3 PHYSOUT=vethcf08163
> > MAC=02:42:ac:11:00:01:02:42:ac:11:00:02:08:00 SRC=172.1
> > 7.0.2 DST=172.17.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=34212 DF
> > PROTO=ICMP TYPE=8 CODE=0 ID=14 SEQ=1
>
> This is bridged traffic - the giveaway is the presence of PHYSIN and
> PHYSOUT, combined with IN being the same as OUT.
>
> > I don't fully understand the log entry above but I think now I need to
> add
> > a router rule(s) for docker container networking.
>
> Yes, you are correct.
>
> > Using Docker 1.6 (and below) no router needed, does it look like with
> > Docker 1.7 I need one now?
>
> Not sure why it worked before unless Docker was inserting its own
> iptables statements or was disabling the forwarding of bridged traffic
> to netfilter (there is a kernel variable for that).
>
> Anyway, to follow your existing setup, this rule should work:
>
> router inface "${docker_interface}" outface "${docker_interface}"
>     policy accept
>
> Hope that helps
>
> Phil
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list