Use IPVS for nating instead of iptables #1379
Conversation
cpuguy83
force-pushed
the
use_ipvs_not_iptables_nat
branch
2 times, most recently
from
08e99f6
to
96e608e
Compare
|
@aboch How come this would fail on |
|
@cpuguy83 The test has recently become flacky, we are aware of it. Will invest sometime to fix it after release. |
| } | ||
| } else if Exists(Mangle, "PREROUTING", preroute...) && !enable { | ||
| if err := c.Prerouting(Mangle, Delete, preroute...); err != nil { | ||
| return fmt.Errorf("Failed to remove docker in PREROUTING nat chain: %s", err) |
cpuguy83
force-pushed
the
use_ipvs_not_iptables_nat
branch
2 times, most recently
from
770ac2c
to
6bcf354
Compare
Using iptables for setting up nat rules has a nasty tendancy to conflict with user-defined firewall rules, and tend to be invisible to tools like UFW. Meanwhile using ipvs for nat is fairly natural and does not require mucking around in iptables rules. The one thing we do need to continue using iptables for here is nating against localhost, however this shouldn't intefere with user-defined rules unless they are denying localhost (not likely)... and still much better than having public interfaces here. Fixes (after re-vendor) moby/moby#4737 Fixes (after re-vendor) moby/moby#22054 Signed-off-by: Brian Goff <cpuguy83@gmail.com>
cpuguy83
force-pushed
the
use_ipvs_not_iptables_nat
branch
from
6bcf354
to
2ad632e
Compare
|
What is the current status of this issue? I'm currently using a work around and inject my own iptables chain before the docker rules in order to firewall my traffic. This requires me to run a manual script every time the Docker engine is restarted or the machine is rebooted. My understanding is that this issue fixes this? Maybe there is another way to deal with it currently? |
|
@donnex There's some edge cases not dealt with here. It's also a pretty big change to how Docker handles port forwards which may break existing users. I'm going to close this, but I think there's another solution to the issue you mentioned. |
|
@cpuguy83 Do you have any more information about a viable solution to my problem? I need to firewall traffic to my containers (exposed ports) and limit access by remote IP. I haven't found any solution other than my work-around with injecting firewall rules before the Docker chain. |
|
I think the solution will be providing a way to inject rules before the docker chain. |
Agree, similar to what #1675 does for the filter table. |
Using iptables for setting up nat rules has a nasty tendancy to conflict
with user-defined firewall rules, and tend to be invisible to tools like
UFW.
Meanwhile using ipvs for nat is fairly natural and does not require
mucking around in iptables rules.
The one thing we do need to continue using iptables for here is nating
against localhost, however this shouldn't intefere with user-defined
rules unless they are denying localhost (not likely)... and still much
better than having public interfaces here.
Fixes (after re-vendor) moby/moby#4737
Fixes (after re-vendor) moby/moby#22054
Closes #852
Signed-off-by: Brian Goff cpuguy83@gmail.com