Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ADDRTYPE rules are missing in POSTROUTING NAT chain #40

Closed
bephinix opened this issue Aug 14, 2019 · 1 comment · Fixed by #41
Closed

ADDRTYPE rules are missing in POSTROUTING NAT chain #40

bephinix opened this issue Aug 14, 2019 · 1 comment · Fixed by #41

Comments

@bephinix
Copy link
Contributor

Current IPv4 POSTROUTING chain:

Chain POSTROUTING (policy ACCEPT 463 packets, 28696 bytes)
 pkts bytes target      prot opt in     out         source              destination         
    2    88 MASQUERADE  all  --  *      docker0     0.0.0.0/0           0.0.0.0/0            ADDRTYPE match src-type LOCAL
    0     0 MASQUERADE  all  --  *      !docker0    172.25.1.0/24       0.0.0.0/0           
    3   128 MASQUERADE  all  --  *      dckrMyNet   0.0.0.0/0           0.0.0.0/0            ADDRTYPE match src-type LOCAL
    0     0 MASQUERADE  all  --  *      !dckrMyNet  172.25.2.0/24       0.0.0.0/0           

Current IPv6 POSTROUTING chain:

Chain POSTROUTING (policy ACCEPT 74 packets, 5932 bytes)
 pkts bytes target      prot opt in     out           source              destination         
    0     0 MASQUERADE  all      *      !dckrMyNet    fddd:0:0:2::/64     ::/0                
    0     0 MASQUERADE  all      *      !dckrDefault  fddd:0:0:1:/64      ::/0  

As you can see, for each masqueraded network the ADDRTYPE match src-type LOCAL rule is missing.

These missing roules will masquerade packets when they enter the network bridge. We should copy this, so Docker's IPv4 and Docker's IPv6 share the same behavior.

@bephinix
Copy link
Contributor Author

Update: ADDRTYPE match src-type LOCAL rules are always added, if the network is not internal. It does not matter if the network is masqueraded or not. PR was updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant