Reputation: 21
Unable to set net.bridge.bridge-nf-call-iptables within Docker container
I'm trying to control whether or not packets traversing a bridge I've set up in my Docker container are sent to iptables for processing using the following command:
sysctl -w net.bridge.bridge-nf-call-iptables="1"
Unfortunately, this doesn't work:
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
It appears that there isn't a /proc/sys/net/bridge directory in my Docker container, despite the directory existing in my host machine. The same command works when run on the host machine. I've checked, and as far as I'm aware all of the correct modules are installed on the host machine and are appearing in the Docker container.
Google has been of no use, so I'm wondering if any else has seen this issue and/or has a solution?
Upvotes: 2
Views: 14288
Answers (4)
Reputation: 31
There is no "bridge" directory in "/proc/sys/net/"
You should enable br_netfilter to get this directory:
modprobe br_netfilter
the command creates the br_netfilter directory.
Then enable 'net.bridge.bridge-nf-call-iptables' parameter:
sysctl net.bridge.bridge-nf-call-iptables=1
Upvotes: 3
Reputation: 1
Have you tried running your container as privileged?
docker run --privileged -device=/proc/sys/net/bridge:/proc/sys/net/bridge
See http://docs-stage.docker.com/v1.11/engine/reference/run/#runtime-privilege-and-linux-capabilities
Upvotes: 0
Reputation: 324
There is no point in running the command inside the container. It activates filtering bridge traffic with iptables. This is useful if you want to filter the traffic between docker containers with iptables. So it must be run on the host.
Also you are trying to change a kernel configuration but containers don't have their own kernel. So it won't be allowed to change anything with sysctl anyway.
Upvotes: 1
Reputation: 6759
When you run docker try mapping the directory through. If the only issue is the hosts directory is needed in the docker container, try:
docker run -v /proc/sys/net/bridge:/proc/sys/net/bridge ...
iptables may need more things mapped through, but, this will get that directory through!
Upvotes: 0
Related Questions
- Error creating default "bridge" network: cannot create network (docker0): conflicts with network (docker0): networks have same bridge name
- Docker containers with bridge network cannot ping anything (even default gateway)
- docker network in bridge mode
- Can't connect to the container neither by alias nor by name on the bridge network
- Docker Bridge Conflicts with Host Network
- Error response from daemon: bridge is a pre-defined network and cannot be removed
- Docker container cannot access internet
- Cannot access port published in a Docker custom bridge network from the host
- how to open port of docker container with bridge network
- How to share host network bridge when using docker in docker