{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 三岁会撩人 的问题《Why do ping packets not reach a custom gateway in》','https://www.manongdao.com/q-987197.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
The Story
I have the following virtual Docker network configuration:
...10.2 ...10.3 ...100.3 ...100.2
+------+ +-------+ +------+
| so_A +--so_net_a--+ so_AB +--so_net_b--+ so_B |
+------+ ...10.0/24 +-------+ ..100.0/24 +------+
Build with the setup script in the end of the question. Here so_A, so_AB and so_B are Debian containers; so_net_a and so_net_b are Docker networks (a recently added feature).
I want to make a router out of the middle container so_AB. For that I replace the default gateway in so_A with the ip of so_AB:
docker exec --privileged so_A ip route del default
docker exec --privileged so_A ip route add default via $AB_A_IP dev eth0
Then I run tcpdump on so_AB (in an extra terminal window):
docker attach so_AB
/# tcpdump -i eth0 -n
and ping some addresses from so_A. I do not understand, why when I ping an IP address from a completely unrelevant network, e.g.:
docker attach so_A
/# ping 192.168.200.2
so_AB receives ICMP packets (although by some reason from the default gateway 192.168.10.1, while I would expect them to come from the so_A ip 192.168.10.2), bun when I ping any address from the so_net_b subnet, e.g.:
/# ping 192.168.100.15
so_AB receives only ARP requiets, like ARP, Request who-has 192.168.10.3 tell 192.168.10.2, length 28.
ip route get shows that so_A uses the so_AB as a first-hop for both addresses.
Question
Why do the ping packets for the relevant IP addresses not reach the custom-set default gateway, while the non-relevant ones do?
Setup
I use the latest Docker version: 1.9.1, build a34a1d5 on my 64bit ubuntu 14.04.
Here is a setup script to reproduce the issue:
docker network create --driver=bridge --subnet=192.168.10.0/24 so_net_a
docker network create --driver=bridge --subnet=192.168.100.0/24 so_net_b
# Network topology:
# +------+ +-------+ +------+
# | so_A +--so_net_a--+ so_AB +--so_net_b--+ so_B |
# +------+ +-------+ +------+
docker run -itd --name=so_A --net=so_net_a debian /bin/bash
docker run -itd --name=so_B --net=so_net_b debian /bin/bash
docker run -itd --name=so_AB --net=so_net_a debian /bin/bash
docker network connect so_net_b so_AB
docker exec so_AB sh -c 'apt-get update && apt-get install -y tcpdump'
AB_A_IP=`docker inspect -f '{{.NetworkSettings.Networks.so_net_a.IPAddress}}' so_AB`
B_IP=`docker inspect -f '{{.NetworkSettings.Networks.so_net_b.IPAddress}}' so_B`
# Change the default gateway to so_AB
docker exec --privileged so_A ip route del default
docker exec --privileged so_A ip route add default via $AB_A_IP dev eth0
# Normally should be 192.168.100.2
echo $B_IP