Hi, This is a request-for-feature issue.
I want to run a container where there is vxLAN backed overlay. But for destinations outside the overlay, I want to NAT the container out, eg to the public internet.
I see three ways to do go about this:
Thoughts? Is this in scope or out of scope for flannel?
The second option seems reasonable. I feel that we can lean on systemd-networkd to configure this network route after we bring up the flannel bridge.
@eyakubovich probably has an opinion on this one.
There is already an option that does something very similar to 2. If you run flanneld with --ip-masq
, it will add an IP Masquerade rule for traffic that's coming out of containers and headed for the Internet. More precisely, it's traffic that originated inside the overlay address space but destined outside of it.
The option is undocumented (need to fix that) since I was waiting for Docker to merge my addition of --ip-masq
to Docker daemon. This allows one to run Docker daemon with --ip-masq=false
and flanneld with --ip-masq
. Otherwise Docker also installs IP masquerading rule for traffic coming out of docker0.
Docker 1.3 that was recently released has the --ip-masq
option.
Thanks that works for us!
Most helpful comment
There is already an option that does something very similar to 2. If you run flanneld with
--ip-masq
, it will add an IP Masquerade rule for traffic that's coming out of containers and headed for the Internet. More precisely, it's traffic that originated inside the overlay address space but destined outside of it.The option is undocumented (need to fix that) since I was waiting for Docker to merge my addition of
--ip-masq
to Docker daemon. This allows one to run Docker daemon with--ip-masq=false
and flanneld with--ip-masq
. Otherwise Docker also installs IP masquerading rule for traffic coming out of docker0.Docker 1.3 that was recently released has the
--ip-masq
option.