Issue
We use DSCP ToS packet tagging within our network. The issue we are experiencing is between 2 subnets. At the Docker Swarm host level, we have the IPTables rules applied and we can connect to the remote host/port in question. From within the container on that same Swarm host, we cannot reach the remote host/port, even though we are using the overlay network.
Docker Version: 17.12.0-ce
Example:
VLAN1: 10.1.1.0/24
VLAN2: 10.2.2.0/24
Source Host: 10.1.1.3
Remote Host: 10.2.2.25 , port 5701
Summary
It would seem that DSCP tagging is not being honored by the Overlay network for outgoing packets.
Any help would be greatly appreciated, haven’t found anything online regarding this issue.
Wouldn't adding the DSCP set rules to the FORWARD chain fix this?
I don't think OUTPUT chain on host applies to the container.
Another solution would be to add the rules to the OUPUT chain inside the container
Issue We use DSCP ToS packet tagging within our network. The issue we are experiencing is between 2 subnets. At the Docker Swarm host level, we have the IPTables rules applied and we can connect to the remote host/port in question. From within the container on that same Swarm host, we cannot reach the remote host/port, even though we are using the overlay network.
Docker Version: 17.12.0-ce Example:
VLAN1: 10.1.1.0/24 VLAN2: 10.2.2.0/24
Source Host: 10.1.1.3 Remote Host: 10.2.2.25 , port 5701
IPTables Rules at Swarm Host Level:
# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT) target prot opt source destination
Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
DSCP icmp -- anywhere anywhere DSCP set 0x10 DSCP tcp -- anywhere anywhere DSCP set 0x10 DSCP udp -- anywhere anywhere DSCP set 0x10
Chain POSTROUTING (policy ACCEPT) target prot opt source destination
From the host level, I can ping and telnet to the remote port:
docker-host> # telnet 10.2.2.25 5701 Trying 10.2.2.25... Connected to 10.2.2.25. Escape character is '^]'. ^]
docker-host> # ping 10.2.2.25 PING 10.2.2.25 (10.2.2.25): 56 data bytes 64 bytes from 10.2.2.25: seq=0 ttl=62 time=0.517 ms 64 bytes from 10.2.2.25: seq=1 ttl=62 time=0.492 ms
From the container level on that host, I can ping but telnet fails to the remote port:
docker-container> # telnet 10.2.2.25 5701 Trying 10.2.2.25...
docker-container> # ping 10.2.2.25 PING 10.2.2.25 (10.2.2.25): 56 data bytes 64 bytes from 10.2.2.25: seq=0 ttl=62 time=0.517 ms 64 bytes from 10.2.2.25: seq=1 ttl=62 time=0.492 ms
I ran two separate TCPDUMPs, one while connecting from the host and one from the container level.
TCPDUMP from Host:
19:35:15.168458 IP (tos 0x40, ttl 64, id 41630, offset 0, flags [DF], proto TCP (6), length 40)
TCPDUMP from Container:
19:35:23.539889 IP (tos 0x0, ttl 63, id 34540, offset 0, flags [DF], proto TCP (6), length 52)
As you can see, the tos is not being set properly from the container level. From the host, its being set to 0x40 which is CS2 ( which is correct
TOS Values Explained
Summary It would seem that DSCP tagging is not being honored by the Overlay network for outgoing packets. Any help would be greatly appreciated, haven’t found anything online regarding this issue.