4

I have a use case where I created a Docker macvlan network (default bridge mode) & connect this network to a running Docker container (e.g C1). So the container will have a new macvlan interface(e.g eth1).

docker network create -d macvlan --subnet=172.16.16.0/24 --gateway=172.16.16.1 -o parent=ens224 macvlan-ens224
docker network connect macvlan-ens224 C1

Inside container C1, I created a macvtap interface using the macvlan (eth1) interface & assigned IP.

ip link add link eth1 name mymacvtap0 type macvtap mode private
ip addr add 172.17.17.2/24 dev mymacvtap0
ip link set up dev mymacvtap0

Now, When I ping to some IP of subnet 172.17.17.2/24 from inside the container ARP request is broadcasted using the source MAC address of container macvtap interface. Target IP sends back ARP reply. ARP reply reaches to physical interface ens224 (seen from tcpdump). But the Reply never reaches inside the container.

Someone please point out what am I missing here?

Improve this question

1 Answer 1

Reset to default
7

this is principal scheme how macvlan driver is works:

                                    +---------------+
                                    | network stack |
                                    +---------------+
                                        |  |  |  |
                              +---------+  |  |  +------------------+
                              |            |  +------------------+  |
                              |            +------------------+  |  |
                              |                               |  |  |
                              |            aa  +----------+   |  |  |
                              | eth0     +-----| macvlan0 |---+  |  |
                              |         /      +----------+      |  |
 Wire   +------+       +---------------+   bb  +----------+      |  |
--------| eth0 |------/ if dst mac is /--------| macvlan1 |------+  |
        +------+     +---------------+ \       +----------+         |
                                        \  cc  +----------+         |
                                         +-----| macvlan2 |---------+
                                               +----------+

As can you see, this type of interfaces work by next principle: it is listen on physical network card and just catch self mac-address.

If you will add any other interface on bottom of macvlan. For example bridge or other macvlan/macvtap interface, it will transfer any traffic from it to external network, but not the reverse side. Because it is catching traffic only for self mac-address.

For solve your problem you should use linux bridge and connect your container to bridge via veth-interfaces pair.

You should use macvlan/macvtap interfaces only if it endpoint.

Here you can get more info about this type of interfaces:

Improve this answer
1
  • the first link cannot be accessed.
    – allenwang
    Commented Jan 3, 2018 at 12:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .