This document summarizes the journey of a packet through the Linux networking stack both from outside a host to a Docker container and from the host to the container. It explains that each Docker container has its own network namespace containing its network interfaces like a virtual network card. It then demonstrates how to use iptables to redirect incoming packets to a container's port using DNAT, solving the problem of accessing a container service from outside the host. The document provides an overview of Linux networking components like bridges, veth pairs, and network namespaces to explain how Docker integrates with the host network stack.

1. A Linux Packet Journey
with Docker
Elazar Leibovich
DevOpsDays, Tel Aviv 2019

2. Who am I?
● Work
○ Storage @VAST Data
○ Virtualization @Ravello
○ Hadoop @Akamai
● Open Source
○ goproxy author
● elazarl @Twitter

3. Agenda
● A packet’s life cycle in Linux
● How it applies with containers
● Example problem & solution

4. Agenda
● A packet’s life cycle in Linux
● How it applies with containers
● Example problem & solution
● Overview of all network devices
● In depth in-kernel infrastructure

5. The Problem

6. I wrote a new service
● Collectd-like
● Metrics by UDP

7. … deployed it on my laptop
With Docker
docker run -d myapp

8. How do I get there from the outside?
docker run -tip8000:8000/udp myapp

9. How can we do that in run time?

10. How can we do that in run time?

11. Networking Basics

12. Network Namespace
All network components
in a box:
● Network devices
● Routing tables
● …
1 Docker container → 1 network
namespace

13. Network Namespace Diagnosis
Network namespace ID

14. Packet from Host to Container
Docker Namespace Default namespace
bridge
Veth
Pair
Veth
Pair
docker0

15. Packet from Host to Container
Docker Namespace Default namespace
bridge
Veth
Pair
Veth
Pair
docker0

16. Packet from Host to Container
Docker Namespace Default namespace
bridge
Veth
Pair
Veth
Pair
docker0

17. Packet from Host to Container
Docker Namespace Default namespace
bridge
Veth
Pair
Veth
Pair
docker0

18. Packet from Host to Container
Docker Namespace Default namespace
bridge
Veth
Pair
Veth
Pair
docker0

19. Veth pair Diagnosis - ip link
My ID
Veth pair

20. Diagnosis of Interfaces in Bridge - ip link
This is my bridgeThis is me

21. Bridge Diagnosis - /sys/class/net/

22. Back to Our Problem

23. Required Packet Journey
Docker Namespace Default namespace
bridge
Veth
Pair
Veth
Pair
docker0
eth0

24. Required Packet Journey
Docker Namespace Default namespace
bridge
Veth
Pair
Veth
Pair
docker0
eth0

25. Required Packet Journey
Docker Namespace Default namespace
bridge
Veth
Pair
Veth
Pair
docker0
eth0

26. Required Packet Journey
Docker Namespace Default namespace
bridge
Veth
Pair
Veth
Pair
docker0
eth0

27. Required Packet Journey
Docker Namespace Default namespace
bridge
Veth
Pair
Veth
Pair
docker0
eth0

28. How can we do that?
What happens to incoming packets?

29. Ingress Packet
Is this packet for us?
● If it is - local delivery
● If it’s for someone else - forward it

30. Incoming packet to eth0
Docker Namespace Root namespace
bridge
Veth
Pair
Veth
Pair
docker0
eth0
172.17.0.1
10.25.0.1
172.17.0.2

31. Incoming packet to eth0
Docker Namespace Root namespace
bridge
Veth
Pair
Veth
Pair
docker0
eth0
172.17.0.1
10.25.0.1
172.17.0.2
Packet
Destination IP
10.25.0.1

32. Incoming packet to eth0
Docker Namespace Root namespace
bridge
Veth
Pair
Veth
Pair
docker0
eth0
172.17.0.1
10.25.0.1
172.17.0.2
Destination ==
laptop IP
10.25.0.1

33. Local Delivery!
Docker Namespace Root namespace
bridge
Veth
Pair
Veth
Pair
docker0
eth0
172.17.0.1
10.25.0.1
172.17.0.2

34. UdpNoPorts
nstat | rg UdpNoPorts
● Formal documentation:
The total number of received UDP datagrams for which there was no
application at the destination port
● Simple words:
The number of UDP packet dropped

35. What Would Happen?
We send a packet to port 8000

36. What Would Happen?
It’s dropped!

37. Moving a Packet to docker0

38. iptables
● Rule-based packet manipulation
● In various point of the packet lifecycle

39. iptables
● Rule-based packet manipulation
● In various point of the packet lifecycle
● We want to manipulate the packet’s destination before we
route it!

41. Solution
iptables
-A PREROUTING -t nat # when? before routing

42. Solution
iptables
-A PREROUTING -t nat # when? before routing
-i eth0 -p udp --dport 8000 # which? if pkt in eth0 from 8000

43. Solution
iptables
-A PREROUTING -t nat # when? before routing
-i eth0 -p udp --dport 8000 # which? if pkt in eth0 from 8000
-j DNAT --to-destination 172.17.0.2:8000 # what? route to Docker

44. We’re done!
● At first, we couldn’t send packets to a running container
● Docker said: “impossible”
● With a basic iptables command - we did it!

45. Summary
● You can do amazing things with Linux networking
● Available by default, on any server
● Basic knowledge is required

46. Questions?
I have a question for you!
Can you forward packets to a
container only when no one accepts
them on the host?@elazarl

47. More Information
Linux packet journey,napi, hardware queue,skb:
https://youtu.be/6Fl1rsxk4JQ
The Journey of a Packet Through the Linux Network Stack

48. Tools used
lsd - the next gen ls command
bat - A cat(1) clone with wings.
column(1)
ripgrep recursively searches directories for a regex pattern
ip(8)
rtacct(8) nstat(8)