Flannel: Routes outside Flannel Networks and NAT'ing

Created on 2 Nov 2014 · 3Comments · Source: coreos/flannel

Hi, This is a request-for-feature issue.

I want to run a container where there is vxLAN backed overlay. But for destinations outside the overlay, I want to NAT the container out, eg to the public internet.

I see three ways to do go about this:

Second Network Interface: Use Flannel for the overlay, but then create a second netdev that is more similar to the default Docker NAT for the container. Then traffic to the overlay still goes via flannel, and a default route on the second netdev handles internet traffic.
Flannel setup NATs: A configuration option to Flannel of some kind, add a default routes for outside the overlay, and when a exiting the overlay, have flannel configure a NAT.
Create vxLAN gateways: Make a container or machine with a flannel interface and another netdev to NAT to (or something like that). Configure default route on other containers to go via this NAT instance.

Thoughts? Is this in scope or out of scope for flannel?

Source

pquerna

Most helpful comment

There is already an option that does something very similar to 2. If you run flanneld with --ip-masq, it will add an IP Masquerade rule for traffic that's coming out of containers and headed for the Internet. More precisely, it's traffic that originated inside the overlay address space but destined outside of it.

The option is undocumented (need to fix that) since I was waiting for Docker to merge my addition of --ip-masq to Docker daemon. This allows one to run Docker daemon with --ip-masq=false and flanneld with --ip-masq. Otherwise Docker also installs IP masquerading rule for traffic coming out of docker0.

Docker 1.3 that was recently released has the --ip-masq option.