ebtables 在 docker 中不起作用

tag-icon tag-icon docker-compose docker-networking ebtables
ebtables 在 docker 中不起作用

你好,我正在尝试在 docker 中运行 ebtables,但是没有任何 ebtables 规则被满足。

例如 -注意计数器没有增加尽管 ARP 已发送并成功

[root@injector /]# ebtables -A OUTPUT -p ARP -j ACCEPT
[root@injector /]# ebtables -Lc  --Lc --Lx
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p ARP -j ACCEPT , pcnt = 0 -- bcnt = 0
[root@injector /]# ping 192.168.5.201
PING 192.168.5.201 (192.168.5.201) 56(84) bytes of data.
64 bytes from 192.168.5.201: icmp_seq=1 ttl=64 time=0.141 ms
64 bytes from 192.168.5.201: icmp_seq=2 ttl=64 time=0.071 ms
64 bytes from 192.168.5.201: icmp_seq=3 ttl=64 time=0.137 ms
^C
--- 192.168.5.201 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2065ms
rtt min/avg/max/mdev = 0.071/0.116/0.141/0.033 ms
[root@injector /]# ebtables -Lc  --Lc --Lx
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p ARP -j ACCEPT , pcnt = 0 -- bcnt = 0

docker 在 compose 中运行,具有以下权限

privileged: true
cap_add: 
  - NET_ADMIN
  - ALL
volumes:
  - /dev:/dev

主机根命名空间上的相同操作可正常运行

➜  ~ sudo  ebtables -A OUTPUT -p ARP -j ACCEPT
➜  ~ sudo ebtables -Lc  --Lc --Lx
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p ARP -j ACCEPT , pcnt = 0 -- bcnt = 0
➜  ~  ping 192.168.5.201
PING 192.168.5.201 (192.168.5.201) 56(84) bytes of data.
64 bytes from 192.168.5.201: icmp_seq=1 ttl=64 time=0.087 ms
64 bytes from 192.168.5.201: icmp_seq=2 ttl=64 time=0.040 ms
64 bytes from 192.168.5.201: icmp_seq=3 ttl=64 time=0.030 ms
^C
--- 192.168.5.201 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2058ms
rtt min/avg/max/mdev = 0.030/0.052/0.087/0.025 ms
➜  ~ sudo ebtables -Lc  --Lc --Lx
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-p ARP -j ACCEPT , pcnt = 4 -- bcnt = 112
➜  ~

基于almalinux的docker版本:8.5

相关内容