Description
Hi,
I noticed that I cannot reach my container through a secondary network interface, which used to work before v28. After some debugging, I figured out that this is because the iptables rules are only created for the interface and IP address(es) of the primary interface.
Reproduce
Assume the following (simplified) compose file:
services:
caddy:
image: caddy:alpine
restart: always
container_name: caddy
ports:
- 443/tcp
- 443/udp
- 80/tcp
networks:
net_caddy:
ipv4_address: 172.18.52.50
ipv6_address: fd4e:dfb6:123c:1234:3000::2
gw_priority: 4
net_adsb:
ipv4_address: 172.18.52.126
ipv6_address: fd4e:dfb6:123c:1234:7000::14
networks:
net_caddy:
driver: bridge
name: net_caddy
driver_opts:
com.docker.network.bridge.name: br-caddy
com.docker.network.bridge.enable_ip_masquerade: "false"
com.docker.network.bridge.gateway_mode_ipv4: routed
com.docker.network.bridge.gateway_mode_ipv6: routed
enable_ipv6: true
ipam:
config:
- subnet: 172.18.52.48/28
gateway: 172.18.52.49
- subnet: fd4e:dfb6:123c:1234:3000::/68
gateway: fd4e:dfb6:123c:1234:3000::1
net_adsb:
driver: bridge
name: net_adsb
driver_opts:
com.docker.network.bridge.name: br-adsb
com.docker.network.bridge.enable_ip_masquerade: "false"
com.docker.network.bridge.gateway_mode_ipv4: routed
com.docker.network.bridge.gateway_mode_ipv6: routed
enable_ipv6: true
ipam:
config:
- subnet: 172.18.52.112/28
gateway: 172.18.52.113
- subnet: fd4e:dfb6:123c:1234:7000::/68
gateway: fd4e:dfb6:123c:1234:7000::1Per the documentation, if no IP is set, it should bind to all IP addresses. However, when checking the created iptable rules, the output is
# iptables -vnxL DOCKER
Chain DOCKER (8 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 17 -- !br-caddy br-caddy 0.0.0.0/0 172.18.52.50 udp dpt:443
3 156 ACCEPT 6 -- !br-caddy br-caddy 0.0.0.0/0 172.18.52.50 tcp dpt:443
0 0 ACCEPT 6 -- !br-caddy br-caddy 0.0.0.0/0 172.18.52.50 tcp dpt:80
4 240 ACCEPT 1 -- * br-adsb 0.0.0.0/0 0.0.0.0/0
1845 110004 DROP 0 -- !br-adsb br-adsb 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 1 -- * br-caddy 0.0.0.0/0 0.0.0.0/0
96 5160 DROP 0 -- !br-caddy br-caddy 0.0.0.0/0 0.0.0.0/0
# ip6tables -vnxL DOCKER
Chain DOCKER (8 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 17 -- !br-caddy br-caddy ::/0 fd4e:dfb6:123c:1234:3000::2 udp dpt:443
0 0 ACCEPT 6 -- !br-caddy br-caddy ::/0 fd4e:dfb6:123c:1234:3000::2 tcp dpt:443
0 0 ACCEPT 6 -- !br-caddy br-caddy ::/0 fd4e:dfb6:123c:1234:3000::2 tcp dpt:80
0 0 ACCEPT 58 -- * br-adsb ::/0 ::/0
1748 139688 DROP 0 -- !br-adsb br-adsb ::/0 ::/0
0 0 ACCEPT 58 -- * br-caddy ::/0 ::/0
45 3424 DROP 0 -- !br-caddy br-caddy ::/0 ::/0As you can see, there are rules for the br-caddy interface with the corresponding IP addresses, but no rules for the br-adsb interface.
Also changing the compose file to include the host IP addresses does not create the required rules:
ports:
- 172.18.52.50:80:80/tcp
- 172.18.52.126:80:80/tcpAgain, only the rules for the primary interface will be created.
Also the long syntax doesn't work:
ports:
- name: web
target: 80
host_ip: 172.18.52.126
published: 80
protocol: tcp
app_protocol: http
mode: hostAdding an iptables rule manually on the other hand:
# iptables -I DOCKER 1 -d 172.18.52.126/32 ! -i br-adsb -o br-adsb -p tcp -m tcp --dport 80 -j ACCEPT
et voilà: it works.
Expected behavior
When a port is defined like this
iptables rules should be created for all IPs/interfaces.
When a port is defined like this
ports:
- 172.18.52.126:80:80/tcpiptables rules should be created for the corresponding IP/interface only.
(same for IPv6 addresses obviously)
docker version
Client: Docker Engine - Community
Version: 28.1.1
API version: 1.49
Go version: go1.23.8
Git commit: 4eba377
Built: Fri Apr 18 09:52:11 2025
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 28.1.1
API version: 1.49 (minimum version 1.24)
Go version: go1.23.8
Git commit: 01f442b
Built: Fri Apr 18 09:52:11 2025
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.27
GitCommit: 05044ec0a9a75232cad458027ca83437aae3f4da
runc:
Version: 1.2.5
GitCommit: v1.2.5-0-g59923ef
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
Client: Docker Engine - Community
Version: 28.1.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.23.0
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.35.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 8
Running: 8
Paused: 0
Stopped: 0
Images: 8
Server Version: 28.1.1
Storage Driver: overlay2
Backing Filesystem: zfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: journald
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
runc version: v1.2.5-0-g59923ef
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.8.12-10-pve
Operating System: Ubuntu 24.10
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 16GiB
Name: docker
ID: 076b24a9-7ccf-407b-aeb5-dd4e29a6b7f0
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
Default Address Pools:
Base: 172.18.48.0/20, Size: 28
Base: fd4e:dfb6:123c:1230::/60, Size: 68Additional Info
Thank you for your awesome work 👍
Description
Hi,
I noticed that I cannot reach my container through a secondary network interface, which used to work before v28. After some debugging, I figured out that this is because the iptables rules are only created for the interface and IP address(es) of the primary interface.
Reproduce
Assume the following (simplified) compose file:
Per the documentation, if no IP is set, it should bind to all IP addresses. However, when checking the created iptable rules, the output is
As you can see, there are rules for the
br-caddyinterface with the corresponding IP addresses, but no rules for thebr-adsbinterface.Also changing the compose file to include the host IP addresses does not create the required rules:
Again, only the rules for the primary interface will be created.
Also the long syntax doesn't work:
Adding an iptables rule manually on the other hand:
# iptables -I DOCKER 1 -d 172.18.52.126/32 ! -i br-adsb -o br-adsb -p tcp -m tcp --dport 80 -j ACCEPTet voilà: it works.
Expected behavior
When a
portis defined like thisiptables rules should be created for all IPs/interfaces.
When a
portis defined like thisiptables rules should be created for the corresponding IP/interface only.
(same for IPv6 addresses obviously)
docker version
Client: Docker Engine - Community Version: 28.1.1 API version: 1.49 Go version: go1.23.8 Git commit: 4eba377 Built: Fri Apr 18 09:52:11 2025 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 28.1.1 API version: 1.49 (minimum version 1.24) Go version: go1.23.8 Git commit: 01f442b Built: Fri Apr 18 09:52:11 2025 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.7.27 GitCommit: 05044ec0a9a75232cad458027ca83437aae3f4da runc: Version: 1.2.5 GitCommit: v1.2.5-0-g59923ef docker-init: Version: 0.19.0 GitCommit: de40ad0docker info
Additional Info
Thank you for your awesome work 👍