Skip to content

Commit b39d02b

Browse files
ibuildthecloudibuildthecloud
committed
Support hairpin NAT without going through docker server
Hairpin NAT is currently done by passing through the docker server. If two containers on the same box try to access each other through exposed ports and using the host IP the current iptables rules will not match the DNAT and thus the traffic goes to 'docker -d' This change drops the restriction that DNAT traffic must not originate from docker0. It should be safe to drop this restriction because the DOCKER chain is already gated by jumps that check for the destination address to be a local address. Docker-DCO-1.1-Signed-off-by: Darren Shepherd <[email protected]> (github: ibuildthecloud)
1 parent fca4cf6 commit b39d02b

1 file changed

Lines changed: 0 additions & 1 deletion

File tree

pkg/iptables/iptables.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,6 @@ func (c *Chain) Forward(action Action, ip net.IP, port int, proto, dest_addr str
6666
"-p", proto,
6767
"-d", daddr,
6868
"--dport", strconv.Itoa(port),
69-
"!", "-i", c.Bridge,
7069
"-j", "DNAT",
7170
"--to-destination", net.JoinHostPort(dest_addr, strconv.Itoa(dest_port))); err != nil {
7271
return err

0 commit comments

Comments
 (0)