我在 Synology DSM 7.2 上的 ETH1 端口上有 2 个 VLAN。我使用 MACVLAN 驱动程序,因此我的容器在网络上看起来像是“独立的计算机”。我可以从网络访问容器,也可以从容器访问网络。我甚至可以从主机访问容器,但我无法从容器内部访问主机。
/bin/bash:
docker network create -d macvlan --subnet=10.1.40.0/24 --gateway=10.1.40.1 --ip-range=10.1.40.160/29 --aux-address 'host=10.1.40.166' -o parent=eth1.10 macvlan10
ip link add macvlan10brdg link eth1.10 type macvlan mode bridge
ip addr add 10.1.40.166/32 dev macvlan10brdg
ip link set dev macvlan10brdg up
ip route add 10.1.40.160/29 dev macvlan10brdg
docker run --net=macvlan10 -it --name macvlaneth10 --ip 10.1.40.165 --privileged --cap-add=ALL --rm alpine /bin/sh
ip a:
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:11:32:cd:8b:34 brd ff:ff:ff:ff:ff:ff
7: eth1.10@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:11:32:cd:8b:34 brd ff:ff:ff:ff:ff:ff
inet 10.1.40.16/24 brd 10.1.40.255 scope global eth1.10
valid_lft forever preferred_lft forever
8: eth1.5@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:11:32:cd:8b:34 brd ff:ff:ff:ff:ff:ff
inet 10.2.40.16/24 brd 10.2.40.255 scope global eth1.5
valid_lft forever preferred_lft forever
14: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1
link/ether 8e:3d:a4:01:5d:42 brd ff:ff:ff:ff:ff:ff
inet 10.1.40.166/32 scope global macvlan10brdg
valid_lft forever preferred_lft forever
inet6 fe80::8c3d:a4ff:fe01:5d42/64 scope link
valid_lft forever preferred_lft forever
ip 规则:
0: from all lookup local
2: from all lookup static-table
10: from 10.2.40.16 lookup eth1.5-table
12: from 10.1.40.16 lookup eth1.10-table
32766: from all lookup main
32767: from all lookup default
IP路由:
default via 10.1.40.1 dev eth1.10 src 10.1.40.16
10.1.40.0/24 dev eth1.10 proto kernel scope link src 10.1.40.16
10.1.40.160/29 dev macvlan10brdg scope link
10.2.40.0/24 dev eth1.5 proto kernel scope link src 10.2.40.16
iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DEFAULT_FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DEFAULT_FORWARD (1 references)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
Chain DOCKER (0 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ****** after "iptables -I DOCKER-USER -j ACCEPT"
RETURN all -- anywhere anywhere
猫/ proc / sys / net / ipv4 / ip_forward:
1
我甚至尝试了 BRIDGE 驱动程序,结果也差不多。我可以从网络和主机访问容器,也可以从容器访问网络。当我尝试从容器 ping 主机时,这就是我在路由器上得到的结果。
invalid forward: in:vlan10 out:vlan10, connection-state:invalid src-mac 00:11:32:cd:8b:34, proto ICMP (type 0, code 0), 10.1.40.16->10.1.52.2, len 84
这就是我运行桥接容器的方式:
docker network create -d bridge --subnet 10.1.52.0/24 --gateway 10.1.52.1 -o parent=eth1.10 testbrgeth110
docker run --net=testbrgeth110 -it --name bridgeeth110 --privileged --cap-add=ALL --rm alpine /bin/sh
我花了整整两天时间浏览互联网、调试等。我真的不知道哪里出了问题。DSM 6.2 上的桥接网络没有网络中的 VLAN,运行良好。