Isolated bridge network receives packets from outside

hc2116 · August 7, 2018, 10:55am

I set up a docker bridge network on Linux for the purpose of testing how network traffic of individual applications (containers) looks like. Therefore, a key requirement for the network is that it is completely isolated from traffic that originates from other applications or devices.

A simple example I created with compose is a ping-container that sends ICMP-packets to another one, with a third container running tcpdump to collect the traffic:

version: '3'
services:
  ping:
    image: 'detlearsom/ping'
    environment:
      - HOSTNAME=blank
      - TIMEOUT=2
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
    networks:
      - capture

  blank:
    image: 'alpine'
    command: sleep 300
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
    networks:
      - capture

  tcpdump:
    image: 'detlearsom/tcpdump'
    volumes: 
      - '$PWD/data:/data'
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
    network_mode: 'service:ping'
    command: -v -w "/data/dump-011-ping2-${CAPTURETIME}.pcap"

networks:
  capture:
    driver: "bridge"
    internal: true

Note that I have set the network to internal, and I have also disabled IPV6. However, when I run it and collect the traffic, additional to the expected ICMP packets I get IPV6 packets:

10:42:40.863619 IP6 fe80::42:2aff:fe42:e303 > ip6-allrouters: ICMP6, router solicitation, length 16
10:42:43.135167 IP6 fe80::e437:76ff:fe9e:36b4.mdns > ff02::fb.mdns: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local.
10:42:37.875646 IP6 fe80::e437:76ff:fe9e:36b4.mdns > ff02::fb.mdns: 0*- [0q] 2/0/0 (Cache flush) PTR he...F.local., (Cache flush) AAAA fe80::e437:76ff:fe9e:36b4 (161)

What is even stranger is that I receive UDP packets from port 57621:

10:42:51.868199 IP 172.25.0.1.57621 > 172.25.255.255.57621: UDP, length 44

This port corresponds to spotify traffic and most likely originates from my spotify application that is running on the host machine.

My question: Why do I see this traffic in my network that is supposed to be isolated?

For anyone interested, here is the network configuration:

[
    {
    "Name": "capture-011-ping2_capture",
    "Id": "35512f852332351a9f677f75b522982aa6bd288e813a31a3c36477baa005c0fd",
    "Created": "2018-08-07T10:42:31.610178964+01:00",
    "Scope": "local",
    "Driver": "bridge",
    "EnableIPv6": false,
    "IPAM": {
        "Driver": "default",
        "Options": null,
        "Config": [
            {
                "Subnet": "172.25.0.0/16",
                "Gateway": "172.25.0.1"
            }
        ]
    },
    "Internal": true,
    "Attachable": true,
    "Ingress": false,
    "ConfigFrom": {
        "Network": ""
    },
    "ConfigOnly": false,
    "Containers": {
        "dac25cb8810b2c786735a76c9b8387d1cfb4d6006dbb7549f5c7c3f381d884c2": {
            "Name": "capture-011-ping2_tcpdump_1",
            "EndpointID": "2463a46cf00a35c8c77ff9f224ff052aea7f061684b7a24b41dab150496f5c3d",
            "MacAddress": "02:42:ac:19:00:02",
            "IPv4Address": "172.25.0.2/16",
            "IPv6Address": ""
        }
    },
    "Options": {},
    "Labels": {
        "com.docker.compose.network": "capture",
        "com.docker.compose.project": "capture-011-ping2",
        "com.docker.compose.version": "1.22.0"
        }
    }
]