Why is a physical interface not part of the docker_gwbridge?

Question

When I look at the docker_gwbridge, I see that all containers on that host are members of the bridge.

bridge name         bridge id           STP enabled  interfaces
docker_gwbridge     8000.0242e581b3f5   no           veth0987748
                                                     veth21aa5ea
                                                     veth358d367
                                                     veth473e3a5
                                                     vetha199713
                                                     vethf482f5f
                                                     vethf4ceab6

However, how can it be that a physical interface on the host is not a member of that bridge? The documentation describes this network as the egress bridge for traffic leaving a Docker swarm cluster. That is, traffic which most likely will leave the host. What mechanism is ensuring that packets entering the docker_gwbridge (from any given container) eventually leaves the host on a physical interface when no physical interface takes part in the bridge?

Answer 1

The mechanism used by Docker is iptables. Iptables rules are added by Docker so packets from the docker_gwbridge are forwarded and then natted (masquerade) when traffic is sent to the outside world.

Here's an excerpt from the output of the docker network inspect docker_gwbridge

[
    {
        "Name": "docker_gwbridge",
       ...
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.20.0.0/16",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        ...
        "Options": {
            "com.docker.network.bridge.enable_icc": "false",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.name": "docker_gwbridge"
        },
        "Labels": {}
    }
]

You can see that the docker uses the 172.20.0.0/16 network and that com.docker.network.bridge.enable_ip_masquerade is set to true.

Docker creates the following rules:

• MASQUERADE all -- 172.20.0.0/16 anywhere (in table nat)
• ACCEPT all -- docker_gwbridge !docker_gwbridge anywhere anywhere (in forward chain)

So although no physical interfaces are attached to the bridge, traffic in that bridge is allowed to be routed/forwarded and as it is set to be natted (masquerade) that traffic will be put on the physical interface associated with the nat address.