From ce035f47dd6e586c83a761a4247cd2183ac2efbd Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Wed, 11 Dec 2024 09:37:34 +0000 Subject: [PATCH 1/5] Fix description of 'inhibit_ipv4' Signed-off-by: Rob Murray --- .../manuals/engine/network/drivers/bridge.md | 42 ++++++++++--------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/content/manuals/engine/network/drivers/bridge.md b/content/manuals/engine/network/drivers/bridge.md index 03d3c402209..01c6d62713d 100644 --- a/content/manuals/engine/network/drivers/bridge.md +++ b/content/manuals/engine/network/drivers/bridge.md @@ -105,16 +105,16 @@ flag. The following table describes the driver-specific options that you can pass to `--option` when creating a custom network using the `bridge` driver. -| Option | Default | Description | -|-------------------------------------------------------------------------------------------------|-----------------------------|------------------------------------------------------------------------------------------------| -| `com.docker.network.bridge.name` | | Interface name to use when creating the Linux bridge. | -| `com.docker.network.bridge.enable_ip_masquerade` | `true` | Enable IP masquerading. | -| `com.docker.network.bridge.gateway_mode_ipv4`
`com.docker.network.bridge.gateway_mode_ipv6` | `nat` | Enable NAT and masquerading (`nat`), or only allow direct routing to the container (`routed`). | -| `com.docker.network.bridge.enable_icc` | `true` | Enable or Disable inter-container connectivity. | -| `com.docker.network.bridge.host_binding_ipv4` | all IPv4 and IPv6 addresses | Default IP when binding container ports. | -| `com.docker.network.driver.mtu` | `0` (no limit) | Set the containers network Maximum Transmission Unit (MTU). | -| `com.docker.network.container_iface_prefix` | `eth` | Set a custom prefix for container interfaces. | -| `com.docker.network.bridge.inhibit_ipv4` | `false` | Prevent Docker from [assigning an IP address](#skip-ip-address-configuration) to the network. | +| Option | Default | Description | +|-------------------------------------------------------------------------------------------------|-----------------------------|-----------------------------------------------------------------------------------------------------| +| `com.docker.network.bridge.name` | | Interface name to use when creating the Linux bridge. | +| `com.docker.network.bridge.enable_ip_masquerade` | `true` | Enable IP masquerading. | +| `com.docker.network.bridge.gateway_mode_ipv4`
`com.docker.network.bridge.gateway_mode_ipv6` | `nat` | Enable NAT and masquerading (`nat`), or only allow direct routing to the container (`routed`). | +| `com.docker.network.bridge.enable_icc` | `true` | Enable or Disable inter-container connectivity. | +| `com.docker.network.bridge.host_binding_ipv4` | all IPv4 and IPv6 addresses | Default IP when binding container ports. | +| `com.docker.network.driver.mtu` | `0` (no limit) | Set the containers network Maximum Transmission Unit (MTU). | +| `com.docker.network.container_iface_prefix` | `eth` | Set a custom prefix for container interfaces. | +| `com.docker.network.bridge.inhibit_ipv4` | `false` | Prevent Docker from [assigning an IP address](#skip-bridge-ip-address-configuration) to the bridge. | Some of these options are also available as flags to the `dockerd` CLI, and you can use them to configure the default `docker0` bridge when starting the Docker @@ -295,20 +295,22 @@ to a single network. For more information about this limitation, see [moby/moby#44973](https://github.com/moby/moby/issues/44973#issuecomment-1543747718). -## Skip IP address configuration +## Skip Bridge IP address configuration + +The bridge is normally assigned the network's `--gateway` address, which is +used as the default route from the bridge network to other networks. The `com.docker.network.bridge.inhibit_ipv4` option lets you create a network -that uses an existing bridge and have Docker skip configuring the IPv4 address -on the bridge. This is useful if you want to configure the IP address for the -bridge manually. For instance if you add a physical interface to your bridge, -and need to move its IP address to the bridge interface. +without the IPv4 gateway address being assigned to the bridge. This is useful +if you want to configure the gateway IP address for the bridge manually. For +instance if you add a physical interface to your bridge, and need it to have +the gateway address. -To use this option, you should first configure the Docker daemon to use a -self-managed bridge, using the `bridge` option in the `daemon.json` or the -`dockerd --bridge` flag. +With this configuration, north-south traffic (to and from the bridge network) +won't work unless you've manually configured the gateway address on the bridge, +or a device attached to it. -With this configuration, north-south traffic won't work unless you've manually -configured the IP address for the bridge. +This option can only be used with user-defined bridge networks. ## Next steps From e9cb32e17664b364a6eb69bb83dd20af46c01fa9 Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Wed, 11 Dec 2024 09:43:13 +0000 Subject: [PATCH 2/5] Updates to default bridge address config Signed-off-by: Rob Murray --- .../manuals/engine/network/drivers/bridge.md | 28 ++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/content/manuals/engine/network/drivers/bridge.md b/content/manuals/engine/network/drivers/bridge.md index 01c6d62713d..bdf1c812c6b 100644 --- a/content/manuals/engine/network/drivers/bridge.md +++ b/content/manuals/engine/network/drivers/bridge.md @@ -229,6 +229,9 @@ When you create your network, you can specify the `--ipv6` flag to enable IPv6. $ docker network create --ipv6 --subnet 2001:db8:1234::/64 my-net ``` +If you do not provide a `--subnet` option, a Unique Local Address (ULA) prefix +will be chosen automatically. + ## Use the default bridge network The default `bridge` network is considered a legacy detail of Docker and is not @@ -259,7 +262,12 @@ the settings you need to customize. } ``` -Restart Docker for the changes to take effect. +In this example: + +- The bridge's address is "192.168.1.1/24" (from `bip`). +- The bridge network's subnet is "192.168.1.0/24" (from `bip`). +- Container addresses will be allocated from "192.168.1.0/25" (from `fixed-cidr`). + ### Use IPv6 with the default bridge network @@ -270,22 +278,34 @@ These three options only affect the default bridge, they are not used by user-defined networks. The addresses in below are examples from the IPv6 documentation range. -- Option `ipv6` is required -- Option `fixed-cidr-v6` is required, it specifies the network prefix to be used. +- Option `ipv6` is required. +- Option `bip6` is optional, it specifies the address of the default bridge, which + will be used as the default gateway by containers. It also specifies the subnet + for the bridge network. +- Option `fixed-cidr-v6` is optional, it specifies the address range Docker may + automatically allocate to containers. - The prefix should normally be `/64` or shorter. - For experimentation on a local network, it is better to use a Unique Local - prefix (matching `fd00::/8`) than a Link Local prefix (matching `fe80::/10`). + Address (ULA) prefix (matching `fd00::/8`) than a Link Local prefix (matching + `fe80::/10`). - Option `default-gateway-v6` is optional. If unspecified, the default is the first address in the `fixed-cidr-v6` subnet. ```json { "ipv6": true, + "bip6": "2001:db8::1111/64", "fixed-cidr-v6": "2001:db8::/64", "default-gateway-v6": "2001:db8:abcd::89" } ``` +If no `bip6` is specified, `fixed-cidr-v6` defines the subnet for the bridge +network. If no `bip6` or `fixed-cidr-v6` is specified, a ULA prefix will be +chosen. + +Restart Docker for changes to take effect. + ## Connection limit for bridge networks Due to limitations set by the Linux kernel, bridge networks become unstable and From d2bc218755672a9c50bca0f307c83e69edbfb06d Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Wed, 11 Dec 2024 09:43:40 +0000 Subject: [PATCH 3/5] Describe IPv6-only network config Signed-off-by: Rob Murray --- content/manuals/engine/network/_index.md | 8 ++++++++ content/manuals/engine/network/drivers/bridge.md | 11 +++++++++++ 2 files changed, 19 insertions(+) diff --git a/content/manuals/engine/network/_index.md b/content/manuals/engine/network/_index.md index 0ffc841b59f..5cdc4fccd5a 100644 --- a/content/manuals/engine/network/_index.md +++ b/content/manuals/engine/network/_index.md @@ -144,6 +144,14 @@ direct routing to containers, see ## IP address and hostname +When creating a network, IPv4 address allocation is enabled by default, it +can be disabled using `--ipv4=false`. IPv6 address allocation can be enabled +using `--ipv6`. + +```console +$ docker network create --ipv6 --ipv4=false v6net +``` + By default, the container gets an IP address for every Docker network it attaches to. A container receives an IP address out of the IP subnet of the network. The Docker daemon performs dynamic subnetting and IP address allocation for containers. diff --git a/content/manuals/engine/network/drivers/bridge.md b/content/manuals/engine/network/drivers/bridge.md index bdf1c812c6b..2a0c2275dd6 100644 --- a/content/manuals/engine/network/drivers/bridge.md +++ b/content/manuals/engine/network/drivers/bridge.md @@ -232,6 +232,17 @@ $ docker network create --ipv6 --subnet 2001:db8:1234::/64 my-net If you do not provide a `--subnet` option, a Unique Local Address (ULA) prefix will be chosen automatically. +## IPv6-only bridge networks + +To skip IPv4 address configuration on the bridge and in its containers, create +the network with option `--ipv4=false`, and enable IPv6 using `--ipv6`. + +```console +$ docker network create --ipv6 --ipv4=false v6net +``` + +IPv4 address configuration cannot be disabled in the default bridge network. + ## Use the default bridge network The default `bridge` network is considered a legacy detail of Docker and is not From c46b7bc7cf96577e8a57e8e92a4a68ceeb62fc1e Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Wed, 11 Dec 2024 12:15:05 +0000 Subject: [PATCH 4/5] Update description of gateway modes Signed-off-by: Rob Murray --- .../manuals/engine/network/drivers/bridge.md | 20 +++--- .../network/packet-filtering-firewalls.md | 64 +++++++++++++++---- 2 files changed, 61 insertions(+), 23 deletions(-) diff --git a/content/manuals/engine/network/drivers/bridge.md b/content/manuals/engine/network/drivers/bridge.md index 2a0c2275dd6..7373921c243 100644 --- a/content/manuals/engine/network/drivers/bridge.md +++ b/content/manuals/engine/network/drivers/bridge.md @@ -105,16 +105,16 @@ flag. The following table describes the driver-specific options that you can pass to `--option` when creating a custom network using the `bridge` driver. -| Option | Default | Description | -|-------------------------------------------------------------------------------------------------|-----------------------------|-----------------------------------------------------------------------------------------------------| -| `com.docker.network.bridge.name` | | Interface name to use when creating the Linux bridge. | -| `com.docker.network.bridge.enable_ip_masquerade` | `true` | Enable IP masquerading. | -| `com.docker.network.bridge.gateway_mode_ipv4`
`com.docker.network.bridge.gateway_mode_ipv6` | `nat` | Enable NAT and masquerading (`nat`), or only allow direct routing to the container (`routed`). | -| `com.docker.network.bridge.enable_icc` | `true` | Enable or Disable inter-container connectivity. | -| `com.docker.network.bridge.host_binding_ipv4` | all IPv4 and IPv6 addresses | Default IP when binding container ports. | -| `com.docker.network.driver.mtu` | `0` (no limit) | Set the containers network Maximum Transmission Unit (MTU). | -| `com.docker.network.container_iface_prefix` | `eth` | Set a custom prefix for container interfaces. | -| `com.docker.network.bridge.inhibit_ipv4` | `false` | Prevent Docker from [assigning an IP address](#skip-bridge-ip-address-configuration) to the bridge. | +| Option | Default | Description | +|-------------------------------------------------------------------------------------------------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `com.docker.network.bridge.name` | | Interface name to use when creating the Linux bridge. | +| `com.docker.network.bridge.enable_ip_masquerade` | `true` | Enable IP masquerading. | +| `com.docker.network.bridge.gateway_mode_ipv4`
`com.docker.network.bridge.gateway_mode_ipv6` | `nat` | Enable NAT and masquerading (`nat`), or only allow direct routing to the container (`routed`). See [Packet filtering and firewalls](packet-filtering-firewalls.md). | +| `com.docker.network.bridge.enable_icc` | `true` | Enable or Disable inter-container connectivity. | +| `com.docker.network.bridge.host_binding_ipv4` | all IPv4 and IPv6 addresses | Default IP when binding container ports. | +| `com.docker.network.driver.mtu` | `0` (no limit) | Set the containers network Maximum Transmission Unit (MTU). | +| `com.docker.network.container_iface_prefix` | `eth` | Set a custom prefix for container interfaces. | +| `com.docker.network.bridge.inhibit_ipv4` | `false` | Prevent Docker from [assigning an IP address](#skip-bridge-ip-address-configuration) to the bridge. | Some of these options are also available as flags to the `dockerd` CLI, and you can use them to configure the default `docker0` bridge when starting the Docker diff --git a/content/manuals/engine/network/packet-filtering-firewalls.md b/content/manuals/engine/network/packet-filtering-firewalls.md index b7704196583..357b714be2e 100644 --- a/content/manuals/engine/network/packet-filtering-firewalls.md +++ b/content/manuals/engine/network/packet-filtering-firewalls.md @@ -129,31 +129,69 @@ clients. No routes are normally set up in the host's network for container addresses that exist within a host. But, particularly with IPv6 you may prefer to avoid using NAT and instead -arrange for external routing to container addresses. +arrange for external routing to container addresses ("direct routing"). To access containers on a bridge network from outside the Docker host, you must set up routing to the bridge network via an address on the Docker host. This can be achieved using static routes, Border Gateway Protocol (BGP), or any other means appropriate for your network. -The bridge network driver has options -`com.docker.network.bridge.gateway_mode_ipv6=` and -`com.docker.network.bridge.gateway_mode_ipv4=`. +Within a local layer 2 network, remote hosts can set up static routes +to a container network using the Docker daemon host's address on the local +network. Those hosts can access containers directly. For remote hosts +outside the local network, direct access to containers requires router +configuration to enable the necessary routing. + +#### Gateway modes + +The bridge network driver has the following options: +- `com.docker.network.bridge.gateway_mode_ipv6` +- `com.docker.network.bridge.gateway_mode_ipv4` + +Each of these can be set to one of the gateway modes: +- `nat` +- `nat-unprotected` +- `routed` The default is `nat`, NAT and masquerading rules are set up for each -published container port. With mode `routed`, no NAT or masquerading rules -are set up, but `iptables` are still set up so that only published container -ports are accessible. +published container port. Packets leaving the host will use a host address. + +With mode `routed`, no NAT or masquerading rules are set up, but `iptables` +are still set up so that only published container ports are accessible. +Outgoing packets from the container will use the container's address, +not a host address. + +In `nat` mode, when a port is published to a specific host address, that +port is only accessible via the host interface with that address. So, +for example, publishing a port to an address on the loopback interface +means remote hosts cannot access it. + +However, using direct routing, published container ports are always +accessible from remote hosts, unless the Docker host's firewall has +additional restrictions. Hosts on the local layer-2 network can set up +direct routing without needing any additional network configuration. +Hosts outside the local network can only use direct routing to the +container if the network's routers are configured to enable it. + +In `nat-unprotected` mode, unpublished container ports are also +accessible using direct routing, no port filtering rules are set up. +This mode is included for compatibility with legacy default behaviour. + +The gateway mode also affects communication between containers that +are connected to different Docker networks on the same host. +- In `nat` and `nat-unprotected` modes, containers in other bridge + networks can only access published ports via the host addresses they + are published to. Direct routing from other networks is not allowed. +- In `routed` mode containers in other networks can use direct + routing to access ports, without going via a host address. In `routed` mode, a host port in a `-p` or `--publish` port mapping is not used, and the host address is only used to decide whether to apply the mapping to IPv4 or IPv6. So, when a mapping only applies to `routed` -mode, only addresses `0.0.0.0` or `::1` are allowed, and a host port -must not be given. - -Mapped container ports, in `nat` or `routed` mode, are accessible from -any remote address, if routing is set up in the network, unless the -Docker host's firewall has additional restrictions. +mode, only addresses `0.0.0.0` or `::` should be used, and a host port +should not be given. If a specific address or port is given, it will +have no effect on the published port and a warning message will be +logged. #### Example From 3160618dc1e335a08e9e6bc528bb6e942085ba81 Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Wed, 11 Dec 2024 14:45:00 +0000 Subject: [PATCH 5/5] Describe gateway selection in the networking overview. Signed-off-by: Rob Murray --- content/manuals/engine/network/_index.md | 35 ++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/content/manuals/engine/network/_index.md b/content/manuals/engine/network/_index.md index 5cdc4fccd5a..78f496ab994 100644 --- a/content/manuals/engine/network/_index.md +++ b/content/manuals/engine/network/_index.md @@ -63,6 +63,41 @@ networking functionality: For more information about the different drivers, see [Network drivers overview](./drivers/_index.md). +### Connecting to multiple networks + +A container can be connected to multiple networks. + +For example, a frontend container may be connected to a bridge network +with external access, and a +[`--internal`](/reference/cli/docker/network/create/#internal) network +to communicate with containers running backend services that do not need +external network access. + +A container may also be connected to different types of network. For example, +an `ipvlan` network to provide internet access, and a `bridge` network for +access to local services. + +When sending packets, if the destination is an address in a directly connected +network, packets are sent to that network. Otherwise, packets are sent to +a default gateway for routing to their destination. In the example above, +the `ipvlan` network's gateway must be the default gateway. + +The default gateway is selected by Docker, and may change whenever a +container's network connections change. +To make Docker choose a specific default gateway when creating the container +or connecting a new network, set a gateway priority. See option `gw-priority` +for the [`docker run`](/reference/cli/docker/container/run.md) and +[`docker network connect`](/reference/cli/docker/network/connect.md) commands. + +The default `gw-priority` is `0` and the gateway in the network with the +highest priority is the default gateway. So, when a network should always +be the default gateway, it is enough to set its `gw-priority` to `1`. + +```console +$ docker run --network name=gwnet,gw-priority=1 --network anet1 --name myctr myimage +$ docker network connect anet2 myctr +``` + ## Container networks In addition to user-defined networks, you can attach a container to another