1

I have nftables set to log when it drops packets. I'm trying to work out specifically how communication between docker containers is blocked.

The log shows the following entry:

IN=br-0353a07849d5 OUT= PHYSIN=veth8e2058a MAC=XXXXX SRC=172.19.0.3 DST=172.17.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=40709 PROTO=TCP SPT=46580 DPT=5432 WINDOW=1024 RES=0x00 SYN URGP=0

Why is OUT= blank here? Does this mean that it's an INPUT packet? Or just that the rules caused it to get blocked before it knew where it was going? I'm expecting this to be a FORWARD packet from br-0353a07849d5 to docker0.

Improve this question

1 Answer 1

Reset to default
1

172.17.0.1 is a local address belonging to the host. So this packet isn't forwarded: it's received in the INPUT hook, from the br-0353a07849d5 interface. It doesn't matter if this local IP address was set on docker0, lo, or br-0353a07849d5, it's still a local IP address, so it's not routed/forwarded but received by the routing stack for local socket processing (and dropped here by the Netfilter/nftables firewall infrastructure).

Improve this answer
8
  • Do local packets only go through INPUT? Or do they traverse OUTPUT first and then INPUT? Commented Feb 26, 2022 at 11:35
  • The remote side (the container) isn't from the same network stack: consider it a remote system. So it goes through the container's network stack OUTPUT (in case the container has iptables rules itself) and arrives at the host's network stack INPUT. Host's network stack never sees it in OUTPUT. Commented Feb 26, 2022 at 11:41
  • schematic to help: en.wikipedia.org/wiki/Netfilter#/media/… Commented Feb 26, 2022 at 11:44
  • Oh! I may have been thinking about this all wrong. I thought all docker networking happened within the host, and from the nftables perspective it just looked like the host just had lots of IPs. Does this mean that direct container-to-container connections never go through any of the host's nfttables rules? And in theory you could add nftables inside a container that would be completely separate to the host? Commented Feb 26, 2022 at 12:30
  • Normally that would mean what you said. But actually, as I wrote in a comment to your other question, as the host holds a lot of bridges, container-to-container traffic goes through these bridges AND the kernel module br_netfilter is loaded by Docker, container-to-container traffic DOES pass through host's iptables (and nftables) becauses frames of type IPv4 (0x800) are temporarily converted to packets for the specific goal of being filtered by iptables (and nftables as a collateral) then converted back to frames. Commented Feb 26, 2022 at 12:34

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.