I used the forum search with “macvlan” and found this snippet, that might be helpful to configure the network and shim interface to work around the security restriction partially (of course you need to set the variables to reflect your setup):
NETWORK_CIDR=192.168.199.0/24
IP_RANGE_CIDR=192.168.199.32/27
GATEWAY_IP=192.168.199.1
PARENT_INTERFACE_NAME=eth1
docker network create -d macvlan \
--subnet=${NETWORK_CIDR} \
--ip-range=${IP_RANGE_CIDR} \
--gateway=${GATEWAY_IP} \
--aux-address="${HOSTNAME}=${IP_RANGE_CIDR%/*}" \
-o parent=${PARENT_INTERFACE_NAME} mymacvlan
ip link add macvlan-shim link ${PARENT_INTERFACE_NAME} type macvlan mode bridge
ip addr add "${IP_RANGE_CIDR%/*}/32" dev macvlan-shim
ip link set macvlan-shim up
ip route add ${IP_RANGE_CIDR} dev macvlan-shim
What it does:
- Create the macvlan network, excluding the ip address that will be used for the shim interface.
- create a macvlan child interface
- Assign an ip fo the macvlan child interface and bringt it up
- Add a route to the macvlan ip-range using the shim interface
As a result the host will be able to communicate with a macvlan container by it’s ip. A maclan container has to communicate with the host using the macvlan child interface, as it still suffers from the restriction that a macvlan child interface can not communicate with its parent interface.