Skip to main content
Unix & Linux

Return to Revisions

2 of 3
added 12302 characters in body
DmitrySemenov
DmitrySemenov
  • 815
  • 8
  • 19

packets are filtered via bridge using namespaced network card

trying to make local networking experiment, and unable to ping from within the namespaced network.

I'm using Fedora 37.

Linux dmitry-desktop 6.1.18-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Mar 11 16:09:14 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

I'm getting the following error

➜ sudo ip netns exec netns-test0 ping 10.10.10.11 PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data. From 10.10.10.1 icmp_seq=1 Packet filtered From 10.10.10.1 icmp_seq=2 Packet filtered From 10.10.10.1 icmp_seq=3 Packet filtered

setup

➜ sudo ip netns add netns-test0 ➜ sudo ip netns add netns-test1 ➜ ls -la /var/run/netns total 0 drwxr-xr-x. 2 root root 80 Mar 22 13:42 . drwxr-xr-x. 63 root root 1.7K Mar 22 12:55 .. -r--r--r--. 1 root root 0 Mar 22 13:42 netns-test0 -r--r--r--. 1 root root 0 Mar 22 13:42 netns-test1 ➜ sudo ip link add eth00 type veth peer name eth01 ➜ sudo ip link add eth10 type veth peer name eth11 ➜ sudo ip link set eth00 up ➜ sudo ip link set eth01 up ➜ sudo ip link set eth01 netns netns-test0 ➜ sudo ip link set eth11 netns netns-test1 ➜ sudo ip netns exec netns-test0 ip link set lo up ➜ sudo ip netns exec netns-test0 ip link set eth01 up ➜ sudo ip netns exec netns-test0 ip addr 10.10.10.10/24 dev eth01 Command "10.10.10.10/24" is unknown, try "ip address help". ➜ sudo ip netns exec netns-test0 ip addr add 10.10.10.10/24 dev eth01 ➜ sudo ip netns exec netns-test1 ip link set lo up ➜ sudo ip netns exec netns-test1 ip link set eth11 up ➜ sudo ip netns exec netns-test1 ip addr add 10.10.10.11/24 dev eth11 ➜ sudo ip link add name br0 type bridge ➜ sudo ip addr add 10.10.10.1/24 brd + dev br0 ➜ sudo ip link set br0 up ➜ sudo ip link set eth00 master br0 ➜ sudo ip link set eth10 master br0 ➜ sudo bridge link show br0 20: eth00@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 2 22: eth10@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 2 ➜ sudo iptables -A FORWARD -i br0 -j ACCEPT ➜ sudo ip link set eth00 master br0

so from the root namespace I can ping all devices and br0.

➜ ping 10.10.10.1 PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data. 64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.038 ms 64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.057 ms ➜ ping 10.10.10.10 PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data. 64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.047 ms 64 bytes from 10.10.10.10: icmp_seq=2 ttl=64 time=0.060 ms ➜ ping 10.10.10.11 PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data. 64 bytes from 10.10.10.11: icmp_seq=1 ttl=64 time=0.049 ms 64 bytes from 10.10.10.11: icmp_seq=2 ttl=64 time=0.053 ms

but if I start pings from within the namespaced network - I get packet filtered.

➜ sudo ip netns exec netns-test0 ping 10.10.10.10 PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data. 64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.021 ms ➜ sudo ip netns exec netns-test0 ping 10.10.10.1 PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data. 64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.063 ms 64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.070 ms ➜ sudo ip netns exec netns-test0 ping 10.10.10.11 PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data. From 10.10.10.1 icmp_seq=1 Packet filtered From 10.10.10.1 icmp_seq=2 Packet filtered From 10.10.10.1 icmp_seq=3 Packet filtered ➜ sudo ip netns exec netns-test1 ping 10.10.10.11 PING 10.10.10.11 (10.10.10.11) 56(84) bytes of data. 64 bytes from 10.10.10.11: icmp_seq=1 ttl=64 time=0.018 ms 64 bytes from 10.10.10.11: icmp_seq=2 ttl=64 time=0.033 ms 64 bytes from 10.10.10.11: icmp_seq=3 ttl=64 time=0.036 ms ➜ sudo ip netns exec netns-test1 ping 10.10.10.1 PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data. 64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.061 ms 64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.075 ms 64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=0.075 ms took 2s ➜ sudo ip netns exec netns-test1 ping 10.10.10.10 PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data. From 10.10.10.1 icmp_seq=1 Packet filtered From 10.10.10.1 icmp_seq=2 Packet filtered From 10.10.10.1 icmp_seq=3 Packet filtered From 10.10.10.1 icmp_seq=4 Packet filtered took 3s ✗ sudo ip netns exec netns-test1 ping 8.8.8.8 ping: connect: Network is unreachable ➜ sudo ip netns exec netns-test0 ping 8.8.8.8 ping: connect: Network is unreachable ➜ sudo ip -all netns exec ip route netns: netns-test1 10.10.10.0/24 dev eth11 proto kernel scope link src 10.10.10.11 netns: netns-test0 10.10.10.0/24 dev eth01 proto kernel scope link src 10.10.10.10 ➜ sudo ip -all netns exec ip route add default via 10.10.10.1 netns: netns-test1 netns: netns-test0 ➜ sudo ip -all netns exec ip route netns: netns-test1 default via 10.10.10.1 dev eth11 10.10.10.0/24 dev eth11 proto kernel scope link src 10.10.10.11 netns: netns-test0 default via 10.10.10.1 dev eth01 10.10.10.0/24 dev eth01 proto kernel scope link src 10.10.10.10 ➜ sudo ip netns exec netns-test0 ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. From 10.10.10.1 icmp_seq=1 Packet filtered From 10.10.10.1 icmp_seq=2 Packet filtered From 10.10.10.1 icmp_seq=3 Packet filtered

my iptables config

➜ _ iptables -L -n -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 95 7810 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 95 7810 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 13 1226 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 15 956 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 67 5628 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain DOCKER (1 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 15 956 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 95 7810 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 15 956 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 95 7810 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

firewalld:

➜ firewall-cmd --list-all FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: br0 ens1f1 eth01 eth11 vpn0 sources: services: dhcpv6-client mdns samba-client ssh ports: 1025-65535/udp 1025-65535/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

sudo nft list ruleset

table inet firewalld { ct helper helper-netbios-ns-udp { type "netbios-ns" protocol udp l3proto ip } chain mangle_PREROUTING { type filter hook prerouting priority mangle + 10; policy accept; jump mangle_PREROUTING_ZONES } chain mangle_PREROUTING_POLICIES_pre { jump mangle_PRE_policy_allow-host-ipv6 } chain mangle_PREROUTING_ZONES { iifname "br0" goto mangle_PRE_FedoraWorkstation iifname "eth11" goto mangle_PRE_FedoraWorkstation iifname "eth01" goto mangle_PRE_FedoraWorkstation iifname "vpn0" goto mangle_PRE_FedoraWorkstation iifname "ens1f1" goto mangle_PRE_FedoraWorkstation iifname "docker0" goto mangle_PRE_docker goto mangle_PRE_FedoraWorkstation } chain mangle_PREROUTING_POLICIES_post { } chain nat_PREROUTING { type nat hook prerouting priority dstnat + 10; policy accept; jump nat_PREROUTING_ZONES } chain nat_PREROUTING_POLICIES_pre { jump nat_PRE_policy_allow-host-ipv6 } chain nat_PREROUTING_ZONES { iifname "br0" goto nat_PRE_FedoraWorkstation iifname "eth11" goto nat_PRE_FedoraWorkstation iifname "eth01" goto nat_PRE_FedoraWorkstation iifname "vpn0" goto nat_PRE_FedoraWorkstation iifname "ens1f1" goto nat_PRE_FedoraWorkstation iifname "docker0" goto nat_PRE_docker goto nat_PRE_FedoraWorkstation } chain nat_PREROUTING_POLICIES_post { } chain nat_POSTROUTING { type nat hook postrouting priority srcnat + 10; policy accept; jump nat_POSTROUTING_ZONES } chain nat_POSTROUTING_POLICIES_pre { } chain nat_POSTROUTING_ZONES { oifname "br0" goto nat_POST_FedoraWorkstation oifname "eth11" goto nat_POST_FedoraWorkstation oifname "eth01" goto nat_POST_FedoraWorkstation oifname "vpn0" goto nat_POST_FedoraWorkstation oifname "ens1f1" goto nat_POST_FedoraWorkstation oifname "docker0" goto nat_POST_docker goto nat_POST_FedoraWorkstation } chain nat_POSTROUTING_POLICIES_post { } chain nat_OUTPUT { type nat hook output priority -90; policy accept; jump nat_OUTPUT_POLICIES_pre jump nat_OUTPUT_POLICIES_post } chain nat_OUTPUT_POLICIES_pre { } chain nat_OUTPUT_POLICIES_post { } chain filter_PREROUTING { type filter hook prerouting priority filter + 10; policy accept; icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept meta nfproto ipv6 fib saddr . mark . iif oif missing drop } chain filter_INPUT { type filter hook input priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept ct state invalid drop jump filter_INPUT_ZONES reject with icmpx admin-prohibited } chain filter_FORWARD { type filter hook forward priority filter + 10; policy accept; ct state { established, related } accept ct status dnat accept iifname "lo" accept ct state invalid drop ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable jump filter_FORWARD_ZONES reject with icmpx admin-prohibited } chain filter_OUTPUT { type filter hook output priority filter + 10; policy accept; ct state { established, related } accept oifname "lo" accept ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable jump filter_OUTPUT_POLICIES_pre jump filter_OUTPUT_POLICIES_post } chain filter_INPUT_POLICIES_pre { jump filter_IN_policy_allow-host-ipv6 } chain filter_INPUT_ZONES { iifname "br0" goto filter_IN_FedoraWorkstation iifname "eth11" goto filter_IN_FedoraWorkstation iifname "eth01" goto filter_IN_FedoraWorkstation iifname "vpn0" goto filter_IN_FedoraWorkstation iifname "ens1f1" goto filter_IN_FedoraWorkstation iifname "docker0" goto filter_IN_docker goto filter_IN_FedoraWorkstation } chain filter_INPUT_POLICIES_post { } chain filter_FORWARD_POLICIES_pre { } chain filter_FORWARD_ZONES { iifname "br0" goto filter_FWD_FedoraWorkstation iifname "eth11" goto filter_FWD_FedoraWorkstation iifname "eth01" goto filter_FWD_FedoraWorkstation iifname "vpn0" goto filter_FWD_FedoraWorkstation iifname "ens1f1" goto filter_FWD_FedoraWorkstation iifname "docker0" goto filter_FWD_docker goto filter_FWD_FedoraWorkstation } chain filter_FORWARD_POLICIES_post { } chain filter_OUTPUT_POLICIES_pre { } chain filter_OUTPUT_POLICIES_post { } chain filter_IN_FedoraWorkstation { jump filter_INPUT_POLICIES_pre jump filter_IN_FedoraWorkstation_pre jump filter_IN_FedoraWorkstation_log jump filter_IN_FedoraWorkstation_deny jump filter_IN_FedoraWorkstation_allow jump filter_IN_FedoraWorkstation_post jump filter_INPUT_POLICIES_post meta l4proto { icmp, ipv6-icmp } accept reject with icmpx admin-prohibited } chain filter_IN_FedoraWorkstation_pre { } chain filter_IN_FedoraWorkstation_log { } chain filter_IN_FedoraWorkstation_deny { } chain filter_IN_FedoraWorkstation_allow { ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept tcp dport 22 ct state { new, untracked } accept udp dport 137 ct helper set "helper-netbios-ns-udp" udp dport 137 ct state { new, untracked } accept udp dport 138 ct state { new, untracked } accept ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept udp dport 1025-65535 ct state { new, untracked } accept tcp dport 1025-65535 ct state { new, untracked } accept } chain filter_IN_FedoraWorkstation_post { } chain nat_POST_FedoraWorkstation { jump nat_POSTROUTING_POLICIES_pre jump nat_POST_FedoraWorkstation_pre jump nat_POST_FedoraWorkstation_log jump nat_POST_FedoraWorkstation_deny jump nat_POST_FedoraWorkstation_allow jump nat_POST_FedoraWorkstation_post jump nat_POSTROUTING_POLICIES_post } chain nat_POST_FedoraWorkstation_pre { } chain nat_POST_FedoraWorkstation_log { } chain nat_POST_FedoraWorkstation_deny { } chain nat_POST_FedoraWorkstation_allow { } chain nat_POST_FedoraWorkstation_post { } chain filter_FWD_FedoraWorkstation { jump filter_FORWARD_POLICIES_pre jump filter_FWD_FedoraWorkstation_pre jump filter_FWD_FedoraWorkstation_log jump filter_FWD_FedoraWorkstation_deny jump filter_FWD_FedoraWorkstation_allow jump filter_FWD_FedoraWorkstation_post jump filter_FORWARD_POLICIES_post reject with icmpx admin-prohibited } chain filter_FWD_FedoraWorkstation_pre { } chain filter_FWD_FedoraWorkstation_log { } chain filter_FWD_FedoraWorkstation_deny { } chain filter_FWD_FedoraWorkstation_allow { } chain filter_FWD_FedoraWorkstation_post { } chain nat_PRE_FedoraWorkstation { jump nat_PREROUTING_POLICIES_pre jump nat_PRE_FedoraWorkstation_pre jump nat_PRE_FedoraWorkstation_log jump nat_PRE_FedoraWorkstation_deny jump nat_PRE_FedoraWorkstation_allow jump nat_PRE_FedoraWorkstation_post jump nat_PREROUTING_POLICIES_post } chain nat_PRE_FedoraWorkstation_pre { } chain nat_PRE_FedoraWorkstation_log { } chain nat_PRE_FedoraWorkstation_deny { } chain nat_PRE_FedoraWorkstation_allow { } chain nat_PRE_FedoraWorkstation_post { } chain mangle_PRE_FedoraWorkstation { jump mangle_PREROUTING_POLICIES_pre jump mangle_PRE_FedoraWorkstation_pre jump mangle_PRE_FedoraWorkstation_log jump mangle_PRE_FedoraWorkstation_deny jump mangle_PRE_FedoraWorkstation_allow jump mangle_PRE_FedoraWorkstation_post jump mangle_PREROUTING_POLICIES_post } chain mangle_PRE_FedoraWorkstation_pre { } chain mangle_PRE_FedoraWorkstation_log { } chain mangle_PRE_FedoraWorkstation_deny { } chain mangle_PRE_FedoraWorkstation_allow { } chain mangle_PRE_FedoraWorkstation_post { } chain filter_IN_policy_allow-host-ipv6 { jump filter_IN_policy_allow-host-ipv6_pre jump filter_IN_policy_allow-host-ipv6_log jump filter_IN_policy_allow-host-ipv6_deny jump filter_IN_policy_allow-host-ipv6_allow jump filter_IN_policy_allow-host-ipv6_post } chain filter_IN_policy_allow-host-ipv6_pre { } chain filter_IN_policy_allow-host-ipv6_log { } chain filter_IN_policy_allow-host-ipv6_deny { } chain filter_IN_policy_allow-host-ipv6_allow { icmpv6 type nd-neighbor-advert accept icmpv6 type nd-neighbor-solicit accept icmpv6 type nd-router-advert accept icmpv6 type nd-redirect accept } chain filter_IN_policy_allow-host-ipv6_post { } chain nat_PRE_policy_allow-host-ipv6 { jump nat_PRE_policy_allow-host-ipv6_pre jump nat_PRE_policy_allow-host-ipv6_log jump nat_PRE_policy_allow-host-ipv6_deny jump nat_PRE_policy_allow-host-ipv6_allow jump nat_PRE_policy_allow-host-ipv6_post } chain nat_PRE_policy_allow-host-ipv6_pre { } chain nat_PRE_policy_allow-host-ipv6_log { } chain nat_PRE_policy_allow-host-ipv6_deny { } chain nat_PRE_policy_allow-host-ipv6_allow { } chain nat_PRE_policy_allow-host-ipv6_post { } chain mangle_PRE_policy_allow-host-ipv6 { jump mangle_PRE_policy_allow-host-ipv6_pre jump mangle_PRE_policy_allow-host-ipv6_log jump mangle_PRE_policy_allow-host-ipv6_deny jump mangle_PRE_policy_allow-host-ipv6_allow jump mangle_PRE_policy_allow-host-ipv6_post } chain mangle_PRE_policy_allow-host-ipv6_pre { } chain mangle_PRE_policy_allow-host-ipv6_log { } chain mangle_PRE_policy_allow-host-ipv6_deny { } chain mangle_PRE_policy_allow-host-ipv6_allow { } chain mangle_PRE_policy_allow-host-ipv6_post { } chain filter_IN_docker { jump filter_INPUT_POLICIES_pre jump filter_IN_docker_pre jump filter_IN_docker_log jump filter_IN_docker_deny jump filter_IN_docker_allow jump filter_IN_docker_post jump filter_INPUT_POLICIES_post accept } chain filter_IN_docker_pre { } chain filter_IN_docker_log { } chain filter_IN_docker_deny { } chain filter_IN_docker_allow { } chain filter_IN_docker_post { } chain nat_POST_docker { jump nat_POSTROUTING_POLICIES_pre jump nat_POST_docker_pre jump nat_POST_docker_log jump nat_POST_docker_deny jump nat_POST_docker_allow jump nat_POST_docker_post jump nat_POSTROUTING_POLICIES_post } chain nat_POST_docker_pre { } chain nat_POST_docker_log { } chain nat_POST_docker_deny { } chain nat_POST_docker_allow { } chain nat_POST_docker_post { } chain filter_FWD_docker { jump filter_FORWARD_POLICIES_pre jump filter_FWD_docker_pre jump filter_FWD_docker_log jump filter_FWD_docker_deny jump filter_FWD_docker_allow jump filter_FWD_docker_post jump filter_FORWARD_POLICIES_post accept } chain filter_FWD_docker_pre { } chain filter_FWD_docker_log { } chain filter_FWD_docker_deny { } chain filter_FWD_docker_allow { oifname "docker0" accept } chain filter_FWD_docker_post { } chain nat_PRE_docker { jump nat_PREROUTING_POLICIES_pre jump nat_PRE_docker_pre jump nat_PRE_docker_log jump nat_PRE_docker_deny jump nat_PRE_docker_allow jump nat_PRE_docker_post jump nat_PREROUTING_POLICIES_post } chain nat_PRE_docker_pre { } chain nat_PRE_docker_log { } chain nat_PRE_docker_deny { } chain nat_PRE_docker_allow { } chain nat_PRE_docker_post { } chain mangle_PRE_docker { jump mangle_PREROUTING_POLICIES_pre jump mangle_PRE_docker_pre jump mangle_PRE_docker_log jump mangle_PRE_docker_deny jump mangle_PRE_docker_allow jump mangle_PRE_docker_post jump mangle_PREROUTING_POLICIES_post } chain mangle_PRE_docker_pre { } chain mangle_PRE_docker_log { } chain mangle_PRE_docker_deny { } chain mangle_PRE_docker_allow { } chain mangle_PRE_docker_post { } } table ip nat { chain DOCKER { iifname "docker0" counter packets 0 bytes 0 return } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 4 bytes 230 masquerade } chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; fib daddr type local counter packets 22340 bytes 10759965 jump DOCKER } chain OUTPUT { type nat hook output priority -100; policy accept; ip daddr != 127.0.0.0/8 fib daddr type local counter packets 42 bytes 3674 jump DOCKER } } table ip filter { chain DOCKER { } chain DOCKER-ISOLATION-STAGE-1 { iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 jump DOCKER-ISOLATION-STAGE-2 counter packets 98 bytes 8062 return } chain DOCKER-ISOLATION-STAGE-2 { oifname "docker0" counter packets 0 bytes 0 drop counter packets 15 bytes 956 return } chain FORWARD { type filter hook forward priority filter; policy drop; counter packets 98 bytes 8062 jump DOCKER-USER counter packets 98 bytes 8062 jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" ct state related,established counter packets 13 bytes 1226 accept oifname "docker0" counter packets 0 bytes 0 jump DOCKER iifname "docker0" oifname != "docker0" counter packets 15 bytes 956 accept iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept iifname "br0" counter packets 70 bytes 5880 accept counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 counter packets 0 bytes 0 iifname "br0" counter packets 0 bytes 0 accept iifname "br0" counter packets 0 bytes 0 accept } chain DOCKER-USER { counter packets 98 bytes 8062 return } }
DmitrySemenov
  • 815
  • 8
  • 19