physical x86 server -> linux bridge -> docker(on same x86 server)
Traffic is as follows
client -> server -> bridge -> docker
We have a kernel module (reg via
_nf_register_hook), which has nf hooks as follows:
.hook = my_hook, #if LINUX_VERSION_CODE < KERNEL_VERSION(4,9,0) .owner = THIS_MODULE, #endif .pf = PF_INET, .hooknum = NF_INET_LOCAL_IN, .priority = NF_IP_PRI_FIRST,
We found a weird case (the module is loaded at server):
- for Linux 3.10 the
my_hookfunction works fine for traffic to docker,
- for Linux 4.19
my_hookis not triggered for traffic to docker.
By the way, we enable
net.bridge.bridge-nf-call-iptables = 1
just for logging purpose.
It looks like namespace-related, however
_nf_register_hook loops all namespaces.
Can anyone give me some advice?
Source: Docker Questions