magnetico Write Congestion, docker and iptables

Write Congestion, docker and iptables

Open lruggieri opened this issue 5 years ago • 1 comments

Hello,

I am back on this topic even though it has already been discussed before. The current solution to the "Write Congestion" problem, as reported in the README, is to

iptables -I OUTPUT -t raw -p udp --sport PORT -j NOTRACK
iptables -I PREROUTING -t raw -p udp --dport PORT -j NOTRACK

where PORT is the port set with the --indexer-addr parameter. By default, it is 0, so I guess the command becomes

iptables -I OUTPUT -t raw -p udp --sport 0 -j NOTRACK
iptables -I PREROUTING -t raw -p udp --dport 0 -j NOTRACK

this does not work for me. I still get the congestion problem. So here my first question would be: am I using the correct iptables rules? Supposing I am, I also know that making UDP traffic completely stateless (so not specifying any port) with

iptables -I OUTPUT -t raw -p udp -j NOTRACK
iptables -I PREROUTING -t raw -p udp -j NOTRACK

works. BUT: docker containers are not able anymore to connect to the DNS...a simple ping google.com from the container is not working with those iptables rules.

My iptables configuration after restarting the server (so completely clean with only rules that docker itself sets):

*filter
:INPUT ACCEPT [17690:24446821]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [17524:24326427]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-4f74251a6c5d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-4f74251a6c5d -j DOCKER
-A FORWARD -i br-4f74251a6c5d ! -o br-4f74251a6c5d -j ACCEPT
-A FORWARD -i br-4f74251a6c5d -o br-4f74251a6c5d -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-4f74251a6c5d ! -o br-4f74251a6c5d -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-4f74251a6c5d -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT

*nat
:PREROUTING ACCEPT [1427:155333]
:INPUT ACCEPT [1427:155333]
:OUTPUT ACCEPT [400:24642]
:POSTROUTING ACCEPT [400:24642]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-4f74251a6c5d -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-4f74251a6c5d -j RETURN
COMMIT

After applying those 2 rules (with no port):

*raw
:PREROUTING ACCEPT [3250459:1072372983]
:OUTPUT ACCEPT [4399970:567297951]
-A PREROUTING -p udp -j NOTRACK
-A OUTPUT -p udp -j NOTRACK
COMMIT

*filter
:INPUT ACCEPT [5186662:1723115840]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7050379:933545767]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-4f74251a6c5d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-4f74251a6c5d -j DOCKER
-A FORWARD -i br-4f74251a6c5d ! -o br-4f74251a6c5d -j ACCEPT
-A FORWARD -i br-4f74251a6c5d -o br-4f74251a6c5d -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-4f74251a6c5d ! -o br-4f74251a6c5d -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-4f74251a6c5d -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT

*nat
:PREROUTING ACCEPT [5079:984675]
:INPUT ACCEPT [5076:984462]
:OUTPUT ACCEPT [681506:87015506]
:POSTROUTING ACCEPT [681506:87015506]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-4f74251a6c5d -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-4f74251a6c5d -j RETURN
COMMIT

I am definitely a beginner on iptables settings, but I see no point why making udp stateless should prevent docker from finding the DNS...or why using those 2 rules with port 0 does not resolve my congestion problem. Does anyone have an insight on this?

Nov 13 '19 16:11 lruggieri

@skobkin do you have any clue on this?

Nov 18 '19 15:11 lruggieri

magnetico magnetico copied to clipboard

Write Congestion, docker and iptables

magnetico
magnetico copied to clipboard