Docker Community Forums

Share and learn in the Docker community.

Docker Swarm: Host level DSCP IPtables rules not inherited by Container

swarm
docker

(Marzlarz) #1

Issue

We use DSCP ToS packet tagging within our network. The issue we are experiencing is between 2 subnets. At the Docker Swarm host level, we have the IPTables rules applied and we can connect to the remote host/port in question. From within the container on that same Swarm host, we cannot reach the remote host/port, even though we are using the overlay network.

Example:

VLAN1: 10.1.1.0/24
VLAN2: 10.2.2.0/24

Source Host: 10.1.1.3
Remote Host: 10.2.2.25 , port 5701

IPTables Rules at Swarm Host Level:

# iptables -t mangle -L

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DSCP       icmp --  anywhere             anywhere             DSCP set 0x10
DSCP       tcp  --  anywhere             anywhere             DSCP set 0x10
DSCP       udp  --  anywhere             anywhere             DSCP set 0x10

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

From the host level, I can ping and telnet to the remote port:

docker-host> # telnet 10.2.2.25 5701
Trying 10.2.2.25...
Connected to 10.2.2.25.
Escape character is '^]'.
^]


docker-host> # ping 10.2.2.25
PING 10.2.2.25 (10.2.2.25): 56 data bytes
64 bytes from 10.2.2.25: seq=0 ttl=62 time=0.517 ms
64 bytes from 10.2.2.25: seq=1 ttl=62 time=0.492 ms

From the container level on that host, I can ping but telnet fails to the remote port:

docker-container> # telnet 10.2.2.25 5701
Trying 10.2.2.25...



docker-container> # ping 10.2.2.25
PING 10.2.2.25 (10.2.2.25): 56 data bytes
64 bytes from 10.2.2.25: seq=0 ttl=62 time=0.517 ms
64 bytes from 10.2.2.25: seq=1 ttl=62 time=0.492 ms

I ran two separate TCPDUMPs, one while connecting from the host and one from the container level.

TCPDUMP from Host:

19:35:15.168458 IP (tos 0x40, ttl 64, id 41630, offset 0, flags [DF], proto TCP (6), length 40)

TCPDUMP from Container:

19:35:23.539889 IP (tos 0x0, ttl 63, id 34540, offset 0, flags [DF], proto TCP (6), length 52)
  • As you can see, the tos is not being set properly from the container level.
  • From the host, its being set to 0x40 which is CS2 ( which is correct
  • TOS Values Explained

Summary

It would seem that DSCP tagging is not being honored by the Overlay network for outgoing packets.
Any help would be greatly appreciated, haven’t found anything online regarding this issue.