1

I have nftables set to log when it drops packets. I'm trying to work out specifically how communication between docker containers is blocked.

The log shows the following entry:

IN=br-0353a07849d5 OUT= PHYSIN=veth8e2058a MAC=XXXXX SRC=172.19.0.3 DST=172.17.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=40709 PROTO=TCP SPT=46580 DPT=5432 WINDOW=1024 RES=0x00 SYN URGP=0

Why is OUT= blank here? Does this mean that it's an INPUT packet? Or just that the rules caused it to get blocked before it knew where it was going? I'm expecting this to be a FORWARD packet from br-0353a07849d5 to docker0.

SystemParadox
  • 260
  • 3
  • 7

1 Answers1

1

172.17.0.1 is a local address belonging to the host. So this packet isn't forwarded: it's received in the INPUT hook, from the br-0353a07849d5 interface. It doesn't matter if this local IP address was set on docker0, lo, or br-0353a07849d5, it's still a local IP address, so it's not routed/forwarded but received by the routing stack for local socket processing (and dropped here by the Netfilter/nftables firewall infrastructure).

A.B
  • 31,762
  • 2
  • 62
  • 101
  • Do local packets *only* go through INPUT? Or do they traverse OUTPUT first and then INPUT? – SystemParadox Feb 26 '22 at 11:35
  • The remote side (the container) isn't from the same network stack: consider it a remote system. So it goes through the container's network stack OUTPUT (in case the container has iptables rules itself) and arrives at the host's network stack INPUT. Host's network stack never sees it in OUTPUT. – A.B Feb 26 '22 at 11:41
  • schematic to help: https://en.wikipedia.org/wiki/Netfilter#/media/File:Netfilter-packet-flow.svg – A.B Feb 26 '22 at 11:44
  • Oh! I may have been thinking about this all wrong. I thought all docker networking happened within the host, and from the nftables perspective it just looked like the host just had lots of IPs. Does this mean that direct container-to-container connections never go through any of the host's nfttables rules? And in theory you could add nftables inside a container that would be completely separate to the host? – SystemParadox Feb 26 '22 at 12:30
  • Normally that would mean what you said. But actually, as I wrote in a comment to your other question, as the host holds a lot of bridges, container-to-container traffic goes through these bridges AND the kernel module `br_netfilter` is loaded by Docker, container-to-container traffic DOES pass through host's iptables (and nftables) becauses frames of type IPv4 (0x800) are temporarily converted to packets for the specific goal of being filtered by iptables (and nftables as a collateral) then converted back to frames. – A.B Feb 26 '22 at 12:34
  • But for this question here this is moot: input/output is an easier case. – A.B Feb 26 '22 at 12:35
  • Does this mean that container-to-container packets do go through the hosts FORWARD chain? Or is this something lower-level? – SystemParadox Feb 26 '22 at 12:39
  • Sorry but this increasingly off-topic for this question. You really should read the Q/A answer I made and linked in your other question where this is answered already: https://unix.stackexchange.com/questions/657545/nftables-whitelisting-docker/657786#657786 . Edit: and the answer is yes: FORWARD chain. – A.B Feb 26 '22 at 12:40