Join Log in
Score:0
Boris avatar Server

ebtables not working in docker

us flag
Boris

Hi I am trying to run ebtables within docker however none of the ebtables rules are being hit.

For example - pay attention that counters are not increased though ARP is sent and succeeds

[root@injector /]# ebtables -A OUTPUT -p ARP -j ACCEPT
[root@injector /]# ebtables -Lc  --Lc --Lx
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p ARP -j ACCEPT , pcnt = 0 -- bcnt = 0
[root@injector /]# ping 192.168.5.201
PING 192.168.5.201 (192.168.5.201) 56(84) bytes of data.
64 bytes from 192.168.5.201: icmp_seq=1 ttl=64 time=0.141 ms
64 bytes from 192.168.5.201: icmp_seq=2 ttl=64 time=0.071 ms
64 bytes from 192.168.5.201: icmp_seq=3 ttl=64 time=0.137 ms
^C
--- 192.168.5.201 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2065ms
rtt min/avg/max/mdev = 0.071/0.116/0.141/0.033 ms
[root@injector /]# ebtables -Lc  --Lc --Lx
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p ARP -j ACCEPT , pcnt = 0 -- bcnt = 0

The docker is run within compose with the following permissions

privileged: true
cap_add: 
  - NET_ADMIN
  - ALL
volumes:
  - /dev:/dev

Same thing on host root namespace works fine

➜  ~ sudo  ebtables -A OUTPUT -p ARP -j ACCEPT
➜  ~ sudo ebtables -Lc  --Lc --Lx
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p ARP -j ACCEPT , pcnt = 0 -- bcnt = 0
➜  ~  ping 192.168.5.201
PING 192.168.5.201 (192.168.5.201) 56(84) bytes of data.
64 bytes from 192.168.5.201: icmp_seq=1 ttl=64 time=0.087 ms
64 bytes from 192.168.5.201: icmp_seq=2 ttl=64 time=0.040 ms
64 bytes from 192.168.5.201: icmp_seq=3 ttl=64 time=0.030 ms
^C
--- 192.168.5.201 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2058ms
rtt min/avg/max/mdev = 0.030/0.052/0.087/0.025 ms
➜  ~ sudo ebtables -Lc  --Lc --Lx
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p ARP -j ACCEPT , pcnt = 4 -- bcnt = 112
➜  ~

docker version based on almalinux:8.5

18
0 + 0
A.B avatar
cl flag
A.B
ebtables requires a bridge. Please show the name of the bridge interface in the container (not in the host).
0
Reply
Boris avatar
us flag
Boris
@A.B The bridge is docker bridge which connects host machine and the docker and created by docker compose (bridge driver, subnet 192.168.5.0/24). The name of the bridge interface in the container is eth0 but I think this is not what you are looking for. The container itself is not aware that it is connected to the bridge I guess.
0
Reply
Boris avatar
us flag
Boris
@A.B This is the setup which is described here https://serverfault.com/questions/1101109
0
Reply
Boris avatar
us flag
Boris
I see. If you put in replies. I will mark it as a answer. I think to debug the problem described in the link (serverfault.com/questions/1101109). I will use ebtables on host only trying to monitor traffic of veth of containers which are visible on host and connected to bridge, instead of running ebtables inside the container. Thanks!!!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.