Open quentindavid opened 3 years ago
robbertkl
commented
3 years ago Hi @quentindavid, sorry you're running into issues. I don't use swarm mode myself. Perhaps @Chrislevi, who wrote the swarm mode instructions in the README, knows something about this?
quentindavid
commented
3 years ago Hi @robbertkl , thanks for answering this fast ! The containers, within a swarm or not, are containers, and they are connected to docker_gwbridge, so as I understood it should work fine. I tried to read the code but I'm not sure to understand how it works. Is it able to detected both containers connected to docker0 and docker_gwbridge as well ?
Thanks again :)
robbertkl
commented
3 years ago Yeah, the code is listening for Docker events, so it should see any container being connected to a network.
quentindavid
commented
3 years ago Ok then I don't understand why it's missing the containers connected within swarm. Maybe @Chrislevi is able to help ?
indrajeetray
commented
3 years ago Hi @Chrislevi,
I am facing the same issue too. Earlier I was using bridge network with IPv6 and I could see ipv6 NAT working. I have a setup where I expect UDP packets to come from outside my system and it is forwarded to the container with the source IP unchanged.
I am trying to migrade away from docker default bridge to docker_gwbridge that we get when we have swarm network. When I am connected to docker_gwbridge (swarm network)... I see the packets reaching the VM and then forwarded to the container using IPv4 address of the docker_gwbridge in the VM instead of the source IPv6 address retained in the packet.
Any pointers to debug this.
These are the options in the docker_gwbridge network (as seen from docker network inspect docker_gwbridge command)
"Options": {
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_forwarding": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.name": "docker_gwbridge"
},docker logs for ipv6nat in debug mode has following output:
2021/03/19 03:46:15 docker-ipv6nat is running in debug mode
2021/03/19 03:46:15 rule added: -t filter -A DOCKER-ISOLATION-STAGE-1 1 -j RETURN
2021/03/19 03:46:15 rule added: -t filter -A DOCKER-ISOLATION-STAGE-2 1 -j RETURN
2021/03/19 03:46:15 rule added: -t filter -A FORWARD 1 -j DOCKER-USER
2021/03/19 03:46:15 rule added: -t nat -A DOCKER 1 -i docker_gwbridge -j RETURN
2021/03/19 03:46:15 rule added: -t filter -A DOCKER-ISOLATION-STAGE-2 1 -o docker_gwbridge -j DROP
2021/03/19 03:46:15 rule added: -t filter -A DOCKER-ISOLATION-STAGE-1 1 -i docker_gwbridge ! -o docker_gwbridge -j DOCKER-ISOLATION-STAGE-2
2021/03/19 03:46:15 rule added: -t nat -A DOCKER 1 -i docker0 -j RETURN
2021/03/19 03:46:15 rule added: -t filter -A DOCKER-ISOLATION-STAGE-2 1 -o docker0 -j DROP
2021/03/19 03:46:15 rule added: -t filter -A DOCKER-ISOLATION-STAGE-1 1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
Hi ! Thanks a lot for your work, very surprising now in end-2020 we still have to fight in order to have in a consistent behaviour between IPV4 and IPV6 within docker..
So, I followed your documentation, and it works well for containers sitting in docker, I can see the rules added in the debug mode. Now I try to use it with swarm mode, so I enabled IPV6 on docker_gwbridge :
And then I launched the container :
Now I can see the container is able to see the network docker_gwbridge because I see this in the container logs:
But I cannot see any automatic rule like I see for simple containers. If I do manually this (fdd0:4cab:5070:357f::5 is the IP of a container within a swarm stack):
then it works...so it seems there is an issue in order to detected the container when it's within a swarm.
Do someone know if I miss something ? IPV6 seems to be working fine, I am able to ping6 external IP from my containers, including those within the swarm.
Thanks again a lot !!