Unable to set net.bridge.bridge-nf-call-iptables within Docker container

Question

I'm trying to control whether or not packets traversing a bridge I've set up in my Docker container are sent to iptables for processing using the following command:

sysctl -w net.bridge.bridge-nf-call-iptables="1"

Unfortunately, this doesn't work:

sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory

It appears that there isn't a /proc/sys/net/bridge directory in my Docker container, despite the directory existing in my host machine. The same command works when run on the host machine. I've checked, and as far as I'm aware all of the correct modules are installed on the host machine and are appearing in the Docker container.

Google has been of no use, so I'm wondering if any else has seen this issue and/or has a solution?

PaulLiss · Answer 1 · 2020-09-22T12:13:30.790

2

There is no "bridge" directory in "/proc/sys/net/"

You should enable br_netfilter to get this directory:

    modprobe br_netfilter

the command creates the br_netfilter directory.

Then enable 'net.bridge.bridge-nf-call-iptables' parameter:

    sysctl net.bridge.bridge-nf-call-iptables=1

edited Sep 22 '20 at 12:13

answered Sep 22 '20 at 12:04

PaulLiss

21
4

Didn't work, Centos 7 – blissweb Nov 19 '21 at 07:22

FlorianLudwig · Answer 2 · 2015-06-30T09:35:27.443

1

There is no point in running the command inside the container. It activates filtering bridge traffic with iptables. This is useful if you want to filter the traffic between docker containers with iptables. So it must be run on the host.

Also you are trying to change a kernel configuration but containers don't have their own kernel. So it won't be allowed to change anything with sysctl anyway.

edited Jun 30 '15 at 09:35

answered Mar 03 '15 at 19:32

FlorianLudwig

325
2
9

score 0 · Answer 3 · answered Feb 26 '15 at 15:24

0

When you run docker try mapping the directory through. If the only issue is the hosts directory is needed in the docker container, try:

docker run -v /proc/sys/net/bridge:/proc/sys/net/bridge ...

iptables may need more things mapped through, but, this will get that directory through!

answered Feb 26 '15 at 15:24

Greg

6,571
2
27
39

Didn't work, Centos 7 – blissweb Nov 19 '21 at 07:22

score 0 · Answer 4 · answered Jan 19 '17 at 18:52

0

Have you tried running your container as privileged?

docker run --privileged -device=/proc/sys/net/bridge:/proc/sys/net/bridge

See http://docs-stage.docker.com/v1.11/engine/reference/run/#runtime-privilege-and-linux-capabilities

answered Jan 19 '17 at 18:52

Marcus Williams

1

Unable to set net.bridge.bridge-nf-call-iptables within Docker container

4 Answers4

Linked