Hi, I have a problem running Ubuntu-17.10 (kernel 4.13-39-generic) and getting masquerading to work with a second interface. Traffic from a container (IP 172.17.0.4/16 via bridge docker0) gets translated to the address of the interface that is used for default route and not the interface of the outgoing packet. When I ping the address 169.254.1.1 from the docker container and sniff the interface enx0050b66b0323, i see the source address is that of enp0s25 instead of that of enx0050b66b0323, output from "tcpdump -i enx0050b66b0323 -nn": tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enx0050b66b0323, link-type EN10MB (Ethernet), capture size 262144 bytes 08:31:59.208492 IP 169.254.1.1.1534 > 169.254.255.255.1534: UDP, length 224 08:31:59.615274 IP 10.46.3.43 > 169.254.1.1: ICMP echo request, id 356, seq 12, length 64 08:32:00.616389 IP 10.46.3.43 > 169.254.1.1: ICMP echo request, id 356, seq 13, length 64 08:32:01.617504 IP 10.46.3.43 > 169.254.1.1: ICMP echo request, id 356, seq 14, length 64 Have I missed some sysctl settings or what is going on? If I do a specific SNAT it does work, but I don't know the names of interfaces that might show up so I want to use the simpler MASQ method. Regards, Lars Some other info: Output from "ip a": ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 50:9a:4c:46:0f:ee brd ff:ff:ff:ff:ff:ff inet 10.46.3.43/22 brd 10.46.3.255 scope global dynamic enp0s25 valid_lft 252075sec preferred_lft 252075sec 3: enx0050b66b0323: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:50:b6:6b:03:23 brd ff:ff:ff:ff:ff:ff inet 169.254.1.4/16 brd 169.254.255.255 scope link dynamic enx0050b66b0323 valid_lft 637253sec preferred_lft 637253sec 4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:8c:a2:67:c2 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever 6: veth20883af@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether 96:69:9f:32:ea:2b brd ff:ff:ff:ff:ff:ff link-netnsid 0 10: vetha3a4739@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether 52:08:62:b5:aa:71 brd ff:ff:ff:ff:ff:ff link-netnsid 1 14: veth5b547db@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether e6:3f:e3:c4:b8:71 brd ff:ff:ff:ff:ff:ff link-netnsid 2 Output from "ip route": default via 10.46.0.1 dev enp0s25 proto static metric 100 10.46.0.0/22 dev enp0s25 proto kernel scope link src 10.46.3.43 metric 100 169.254.0.0/16 dev enx0050b66b0323 proto kernel scope link src 169.254.1.4 metric 100 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 Output from "iptables -S -t nat": -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N DOCKER -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i docker0 -p tcp -m tcp --dport 32768 -j DNAT --to-destination 172.17.0.2:22 Output from "iptables -S": -P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION -N DOCKER-USER -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT -A DOCKER-ISOLATION -j RETURN -A DOCKER-USER -j RETURN -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
