search

docker-archive / classicswarm

Swarm Classic: a container clustering system. Not to be confused with Docker Swarm which is at https://github.com/docker/swarmkit
Apache License 2.0
5.75k stars 1.08k forks source link

Docker Swarm: Host level DSCP IPtables rules not inherited by Container #2839

Closed marzlarz closed 4 years ago

marzlarz commented 6 years ago

Issue We use DSCP ToS packet tagging within our network. The issue we are experiencing is between 2 subnets. At the Docker Swarm host level, we have the IPTables rules applied and we can connect to the remote host/port in question. From within the container on that same Swarm host, we cannot reach the remote host/port, even though we are using the overlay network.

Docker Version: 17.12.0-ce Example:

VLAN1: 10.1.1.0/24 VLAN2: 10.2.2.0/24

Source Host: 10.1.1.3 Remote Host: 10.2.2.25 , port 5701

IPTables Rules at Swarm Host Level:

# iptables -t mangle -L

Chain PREROUTING (policy ACCEPT) target prot opt source destination

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination
DSCP icmp -- anywhere anywhere DSCP set 0x10 DSCP tcp -- anywhere anywhere DSCP set 0x10 DSCP udp -- anywhere anywhere DSCP set 0x10

Chain POSTROUTING (policy ACCEPT) target prot opt source destination

From the host level, I can ping and telnet to the remote port:

docker-host> # telnet 10.2.2.25 5701 Trying 10.2.2.25... Connected to 10.2.2.25. Escape character is '^]'. ^]

docker-host> # ping 10.2.2.25 PING 10.2.2.25 (10.2.2.25): 56 data bytes 64 bytes from 10.2.2.25: seq=0 ttl=62 time=0.517 ms 64 bytes from 10.2.2.25: seq=1 ttl=62 time=0.492 ms

From the container level on that host, I can ping but telnet fails to the remote port:

docker-container> # telnet 10.2.2.25 5701 Trying 10.2.2.25...

docker-container> # ping 10.2.2.25 PING 10.2.2.25 (10.2.2.25): 56 data bytes 64 bytes from 10.2.2.25: seq=0 ttl=62 time=0.517 ms 64 bytes from 10.2.2.25: seq=1 ttl=62 time=0.492 ms

I ran two separate TCPDUMPs, one while connecting from the host and one from the container level.

TCPDUMP from Host: 19:35:15.168458 IP (tos 0x40, ttl 64, id 41630, offset 0, flags [DF], proto TCP (6), length 40)

TCPDUMP from Container: 19:35:23.539889 IP (tos 0x0, ttl 63, id 34540, offset 0, flags [DF], proto TCP (6), length 52)

As you can see, the tos is not being set properly from the container level. From the host, its being set to 0x40 which is CS2 ( which is correct

TOS Values Explained

Summary It would seem that DSCP tagging is not being honored by the Overlay network for outgoing packets. Any help would be greatly appreciated, haven’t found anything online regarding this issue.

yonirom commented 6 years ago

Wouldn't adding the DSCP set rules to the FORWARD chain fix this? I don't think OUTPUT chain on host applies to the container. Another solution would be to add the rules to the OUPUT chain inside the container