简体繁体 English

iptables无法处理容器中的macvlan流量

[英]iptables not working on macvlan traffic in container

原文 2016-02-29 09:24:49 9 1 docker/ iptables

I have a host with one interface eth0 , IP 10.0.10.10/24 . 我有一个主机有一个接口eth0 ，IP 10.0.10.10/24 。 I start up docker, add a container, no network. 我启动了docker，添加了一个容器，没有网络。 I then create a macvlan device on eth0 , give it IP 10.0.10.20/24 , and put it in the container. 然后我在eth0上创建一个macvlan设备，给它IP 10.0.10.20/24 ，并将其放入容器中。

Both the host and the container now have full network access. 主机和容器现在都具有完全的网络访问权限。

I then create an iptables rule on the host to drop all traffic to or from the container's IP 10.0.10.20 . 然后，我在主机上创建一个iptables规则，以丢弃进出容器的IP 10.0.10.20所有流量。 The rules do not work, and traffic gets through. 规则不起作用，流量通过。

Of course, if I do it from within the container (either ip netns exec $PID iptables ... or by giving the container NET_ADMIN capabilities), it works. 当然，如果我从容器内部（ ip netns exec $PID iptables ...或通过提供容器NET_ADMIN功能）这样做，它就可以工作。

Should the iptables rules of the underlying host not filter the traffic? 底层主机的iptables规则是否应该过滤流量？

1 个解决方案

The answer to this is: you cannot do it. 答案是：你不能这样做。 When using the bridge, then the traffic runs into the host and out, so it hits the host's ip stack. 使用网桥时，流量会进入主机并输出，因此它会访问主机的ip堆栈。 When you use macvlan, the only ip stack is the one in the container, so the iptables rules on the host never are called. 当您使用macvlan时，唯一的ip堆栈是容器中的堆栈，因此永远不会调用主机上的iptables规则。

The only way to do it is to change the iptables rules inside the container. 唯一的方法是更改容器内的iptables规则。

If you do not want to give the container access, eg if you want to control the container, then use ip netns exec ... from the host itself, which will control the iptables rules in the container without giving the container itself control. 如果您不想让容器访问，例如，如果您想控制容器，则使用来自主机本身的ip netns exec ... ，它将控制容器中的iptables规则而不给容器本身控制。

I wrote a script that does that. 我写了一个脚本来做到这一点。 It is available at https://github.com/deitch/ctables and licensed MIT. 它可以在https://github.com/deitch/ctables和MIT授权。