Skip to content

New engine options, "allow-direct-routing" and "trusted_host_interfaces" #22601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

New engine options, "allow-direct-routing" and "trusted_host_interfaces" #22601

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 45 additions & 9 deletions content/manuals/engine/network/packet-filtering-firewalls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,15 +150,51 @@
arrange for external routing to container addresses ("direct routing").

To access containers on a bridge network from outside the Docker host,
you must set up routing to the bridge network via an address on the Docker
host. This can be achieved using static routes, Border Gateway Protocol
(BGP), or any other means appropriate for your network.

Within a local layer 2 network, remote hosts can set up static routes
to a container network using the Docker daemon host's address on the local
network. Those hosts can access containers directly. For remote hosts
outside the local network, direct access to containers requires router
configuration to enable the necessary routing.
you must first set up routing to the bridge network via an address on the
Docker host. This can be achieved using static routes, Border Gateway Protocol
(BGP), or any other means appropriate for your network. For example, within

Check warning on line 155 in content/manuals/engine/network/packet-filtering-firewalls.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.Acronyms] 'BGP' has no definition.

Raw Output:
{"message": "[Docker.Acronyms] 'BGP' has no definition.", "location": {"path": "content/manuals/engine/network/packet-filtering-firewalls.md", "range": {"start": {"line": 155, "column": 2}}}, "severity": "WARNING"}
a local layer 2 network, remote hosts can set up static routes to a container
network via the Docker daemon host's address on the local network.

#### Direct routing to containers in bridge networks

By default, remote hosts are not allowed direct access to container IP
addresses in Docker's Linux bridge networks. They can only access ports
published to host IP addresses.

To allow direct access to any published port, on any container, in any

Check warning on line 165 in content/manuals/engine/network/packet-filtering-firewalls.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.RecommendedWords] Consider using 'let' instead of 'allow'

Raw Output:
{"message": "[Docker.RecommendedWords] Consider using 'let' instead of 'allow'", "location": {"path": "content/manuals/engine/network/packet-filtering-firewalls.md", "range": {"start": {"line": 165, "column": 4}}}, "severity": "INFO"}
Linux bridge network, use daemon option `--allow-direct-routing` or the
equivalent `"allow-direct-routing": true` in `/etc/docker/daemon.json`.

To allow direct routing from anywhere to containers in a specific bridge

Check warning on line 169 in content/manuals/engine/network/packet-filtering-firewalls.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.RecommendedWords] Consider using 'let' instead of 'allow'

Raw Output:
{"message": "[Docker.RecommendedWords] Consider using 'let' instead of 'allow'", "location": {"path": "content/manuals/engine/network/packet-filtering-firewalls.md", "range": {"start": {"line": 169, "column": 4}}}, "severity": "INFO"}
network, see [Gateway modes](#gateway-modes).

Or, to allow direct routing via specific host interfaces, to a specific

Check warning on line 172 in content/manuals/engine/network/packet-filtering-firewalls.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.RecommendedWords] Consider using 'let' instead of 'allow'

Raw Output:
{"message": "[Docker.RecommendedWords] Consider using 'let' instead of 'allow'", "location": {"path": "content/manuals/engine/network/packet-filtering-firewalls.md", "range": {"start": {"line": 172, "column": 8}}}, "severity": "INFO"}
bridge network, use the following option when creating the network:
- `com.docker.network.bridge.trusted_host_interfaces`

#### Example

Create a network where published ports on container IP addresses can be
accessed directly from interfaces `vxlan.1` and `eth3`:

```console
$ docker network create --subnet 192.0.2.0/24 --ip-range 192.0.2.0/29 -o com.docker.network.bridge.trusted_host_interfaces="vxlan.1:eth3" mynet
```

Run a container in that network, publishing its port 80 to the port
8080 on host's loopback interface:

```console
docker run -d --ip 192.0.2.100 -p 127.0.0.1:8080:80 nginx
```

The web server running on the container's port 80 can now be accessed
from the Docker host at `http://127.0.0.1:8080`, or directly at
`http://192.0.2.100:80`. If remote hosts on networks connected to
interfaces `vxlan.1` and `eth3` have a route to the `192.0.2.0/24`
network inside the Docker host, they can also access the web server
via `http://192.0.2.100:80`.

#### Gateway modes

Expand Down