New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

swarm-manager 所在 node 上的任意容器都可以访问 2376 端口 #124

Open

wchaoyi opened this issue May 31, 2017 · 1 comment

Labels

ready

Member

wchaoyi commented May 31, 2017

关于 2376 的 default calico rule 没有生效。

fossilet added the ready label

Member

liuxu623 commented Sep 5, 2017 •

edited

Loading

iptables的nat表会先于filter表生效，匹配到nat表中的DOCKER chain后就不会匹配filter表中calico的chain了

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    8   480 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
    4   240 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2376 to:172.17.0.2:2375

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment