Usernet Portmap Routed

Container on a routed-mode network, with a published port

Running the daemon with the userland proxy disabled then, as before, adding a network running a container with a mapped port, equivalent to:

docker network create \
  -o com.docker.network.bridge.name=bridge1 \
  -o com.docker.network.bridge.gateway_mode_ipv4=routed \
  --subnet 192.0.2.0/24 --gateway 192.0.2.1 bridge1
docker run --network bridge1 -p 8080:80 --name c1 busybox

The filter table is:

{{index . "LFilter4"}}

{{index . "SFilter4"}}

Compared to the equivalent nat mode network:

• In the DOCKER chain:
  • A rule is added by setICMP to allow ICMP. ALL ICMP message types are allowed. The equivalent IPv6 rule uses -p icmpv6 rather than -p icmp.
    • Because the ICMP rule (rule 3) is per-network, it is appended to the chain along with the default-DROP rule (rule 4). So, it is likely to be separated from per-port/protocol ACCEPT rules for published ports on the same network. But it will always appear before the default-DROP.

RFC 4890 section 4.3 makes recommendations for filtering ICMPv6. These have been considered, but the host firewall is not a network boundary in the sense used by the RFC. So, Node Information and Router Renumbering messages are not discarded, and experimental/unused types are allowed because they may be needed.

{{index . "LFilterDocker4"}}

{{index . "SFilterDocker4"}}

The nat table is:

{{index . "LNat4"}}

{{index . "SNat4"}}

Differences from nat mode:

• In the POSTROUTING chain:
  • No MASQUERADE rule for traffic from the bridge network to elsewhere. setupIPTablesInternal
  • No MASQUERADE rule for traffic from the bridge network to itself on published port 80 (port mapping is skipped). attemptBindHostPorts
• In the DOCKER chain:
  • No early return ("skip DNAT") for traffic from the bridge network. setupIPTablesInternal
  • No DNAT rule for the published port (port mapping is skipped). attemptBindHostPorts

And, the userland proxy won't be started for mapped ports.