无法在Docker容器中设置net.bridge.bridge-nf-call-iptables [英] Unable to set net.bridge.bridge-nf-call-iptables within Docker container

问题描述

我正在尝试控制是否使用以下命令将通过我在Docker容器中建立的网桥的数据包​​发送到iptables进行处理:

I'm trying to control whether or not packets traversing a bridge I've set up in my Docker container are sent to iptables for processing using the following command:

sysctl -w net.bridge.bridge-nf-call-iptables="1"

不幸的是，这不起作用:

Unfortunately, this doesn't work:

sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory

尽管我的主机中存在目录，但我的Docker容器中似乎没有/proc/sys/net/bridge目录.在主机上运行时，相同的命令也有效.经过检查，据我所知，所有正确的模块都已安装在主机上，并出现在Docker容器中.

It appears that there isn't a /proc/sys/net/bridge directory in my Docker container, despite the directory existing in my host machine. The same command works when run on the host machine. I've checked, and as far as I'm aware all of the correct modules are installed on the host machine and are appearing in the Docker container.

Google一直没有用，所以我想知道是否还有其他人看到了这个问题和/或有解决方案?

Google has been of no use, so I'm wondering if any else has seen this issue and/or has a solution?

推荐答案

在容器内部运行命令毫无意义.它使用iptables激活过滤网桥流量.如果要使用iptables过滤docker容器之间的流量，这很有用.因此，它必须在主机上运行.

There is no point in running the command inside the container. It activates filtering bridge traffic with iptables. This is useful if you want to filter the traffic between docker containers with iptables. So it must be run on the host.

此外，您正在尝试更改内核配置，但是容器没有自己的内核.因此，无论如何都不允许使用sysctl进行任何更改.

Also you are trying to change a kernel configuration but containers don't have their own kernel. So it won't be allowed to change anything with sysctl anyway.

这篇关于无法在Docker容器中设置net.bridge.bridge-nf-call-iptables的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！