Reputation: 21
I'm trying to control whether or not packets traversing a bridge I've set up in my Docker container are sent to iptables for processing using the following command:
sysctl -w net.bridge.bridge-nf-call-iptables="1"
Unfortunately, this doesn't work:
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
It appears that there isn't a /proc/sys/net/bridge directory in my Docker container, despite the directory existing in my host machine. The same command works when run on the host machine. I've checked, and as far as I'm aware all of the correct modules are installed on the host machine and are appearing in the Docker container.
Google has been of no use, so I'm wondering if any else has seen this issue and/or has a solution?
Upvotes: 2
Views: 14288
Reputation: 31
There is no "bridge" directory in "/proc/sys/net/"
You should enable br_netfilter to get this directory:
modprobe br_netfilter
the command creates the br_netfilter directory.
Then enable 'net.bridge.bridge-nf-call-iptables' parameter:
sysctl net.bridge.bridge-nf-call-iptables=1
Upvotes: 3
Reputation: 1
Have you tried running your container as privileged?
docker run --privileged -device=/proc/sys/net/bridge:/proc/sys/net/bridge
See http://docs-stage.docker.com/v1.11/engine/reference/run/#runtime-privilege-and-linux-capabilities
Upvotes: 0
Reputation: 324
There is no point in running the command inside the container. It activates filtering bridge traffic with iptables. This is useful if you want to filter the traffic between docker containers with iptables. So it must be run on the host.
Also you are trying to change a kernel configuration but containers don't have their own kernel. So it won't be allowed to change anything with sysctl anyway.
Upvotes: 1
Reputation: 6759
When you run docker try mapping the directory through. If the only issue is the hosts directory is needed in the docker container, try:
docker run -v /proc/sys/net/bridge:/proc/sys/net/bridge ...
iptables may need more things mapped through, but, this will get that directory through!
Upvotes: 0