-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker bridge network leaks internal IP addresses (masquerade not working) #44015
Comments
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Yes masquerade seems to be all kinds of messed up. Not only do I see internal IPs leaking like described before, but I also had a regression in connecting to ports published on the I have a DNS server (pihole) publishing tcp and udp port 53 in
And the host machine points to this DNS server by it's LAN IP address. ( Failing, which worked before updating
Workaround
So for the time being I've added Alternatively, using |
If you're affected and can reproduce for external connections: If your host is reachable via IPv6, and you have the default You can enable Likewise, if you have an IPv6 ULA subnet in the docker bridge network, you'd have a similar problem but the gateway IP would be IPv6 instead. If you have connections within the docker host (host to container, container to container via host IP, etc), these can behave in a similar way and replace the client IP. Especially for a container that uses a host IP + port that resolves back into itself, there is a |
Hello I'm affected by this problem too, maybe someone can help me how to avoid that in my setup. |
Description
Docker containers using the bridge network sometimes send packets from the internal (172.17.0.X) IP to the network interface without masquerading them.
Reproduce
Run a docker container of your choice (in my case portainer/portainer-ce) using the default bridge network. Inspect outgoing traffic using tcpdump (e.g. on the router device).
Expected behavior
Docker containers using only the bridge network should not send any packets with internal IP addresses to the outside.
docker version
docker info
Additional Info
In my example the docker container is running on a Debian VM which is running on a VMware ESXi host.
First noticed the leaked IP addresses in the "client overview" of my networking hardware (Ubiquity UniFi). This list shows the currently assigned IP address for each connected client. For all VMs running a docker container with bridge network this IP from time to time is changed to 172.17.0.X for some seconds until it switches back to the correct value.
Original issue (created Oct 2020): docker/for-linux#1126
I copied over the details from the original issue. Versions are outdated by now, but the problem is still not fixed in the latest version.
The text was updated successfully, but these errors were encountered: