mirror of
https://github.com/moby/moby.git
synced 2026-01-11 18:51:37 +00:00
76417bf763
Commit 0546d90 introduced the use of ipset to reduce the number
of rules that need to be processed per-packet, and make the code
a bit simpler.
But, docker's used on embedded kernels compiled without support
for ipset, so the change is too disruptive.
Replace the two ipset rules with a new chain that writes out the
rule's actions long-hand. So ..
This rule:
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst \
-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Is transformed into a per-bridge rule in new chain DOCKER-CT:
-A DOCKER-FORWARD -j DOCKER-CT
-A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
And:
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
Is transformed into a per-bridge rule in new chain DOCKER-BRIDGE:
-A DOCKER-FORWARD -j DOCKER-BRIDGE
-A DOCKER-BRIDGE -o docker0 -j DOCKER
-A DOCKER-BRIDGE -o bridge1 -j DOCKER
Signed-off-by: Rob Murray <rob.murray@docker.com>
954 B
954 B
Container on a user-defined network with inter-container communication disabled, with a published port
Equivalent to:
docker network create \
-o com.docker.network.bridge.name=bridge1 \
-o com.docker.network.bridge.enable_icc=false \
--subnet 192.0.2.0/24 --gateway 192.0.2.1 bridge1
docker run --network bridge1 -p 8080:80 --name c1 busybox
The filter table is:
{{index . "LFilter4"}}
iptables commands
{{index . "SFilter4"}}
By comparison with ICC=true:
- DOCKER-FORWARD rules 6 and 7 replace the accept rule for outgoing packets.
- Rule 6, added by
setIcc, drops any packet sent from the internal network to itself. - Rule 7, added by
setupIPTablesInternalaccepts any other outgoing packet.
- Rule 6, added by
And the corresponding nat table:
{{index . "LNat4"}}
iptables commands
{{index . "SNat4"}}