1

I'm trying to delay traffic between containers (container1 calling container2) from a third container that has access to the host network and having capability NET_ADMIN (container3_admin).

When I apply the following tc rules on the container I want to delay (using this answer), it is working fine.

tc qdisc add dev eth0 root handle 1: prio
tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip dst 172.21.0.2 flowid 1:1
tc filter add dev eth0 protocol all parent 1: prio 2 u32 match ip dst 0.0.0.0/0 flowid 1:2
tc filter add dev eth0 protocol all parent 1: prio 2 u32 match ip protocol 1 0xff flowid 1:2
tc qdisc add dev eth0 parent 1:1 handle 10: netem delay 55ms
tc qdisc add dev eth0 parent 1:2 handle 20: sfq

However, when applying the same rules on the virtual interface on container3_admin it fails. The filter is not matching from the output of the following command.

root@linuxkit-025000000001:/# tc -s filter ls dev veth71cd412
filter parent 1: protocol ip pref 1 u32 
filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 
filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1  (rule hit 4 success 0)
  match ac150002/ffffffff at 16 (success 0 ) 
filter parent 1: protocol all pref 2 u32 
filter parent 1: protocol all pref 2 u32 fh 801: ht divisor 1 
filter parent 1: protocol all pref 2 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:2  (rule hit 5 success 5)
  match 00000000/00000000 at 16 (success 5 ) 
filter parent 1: protocol all pref 2 u32 fh 801::801 order 2049 key ht 801 bkt 0 flowid 1:2  (rule hit 0 success 0)
  match 00010000/00ff0000 at 8 (success 0 )

container2 is running netcat to listen to port 54321 (nc -l -k 54321) and its IP address is 172.21.0.2.

Could you tell me why the rule to delay is not matching match ac150002/ffffffff at 16 (success 0 ) ?

the output of ip a ins the following.

container2

369: eth0@if370: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:15:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.21.0.2/16 brd 172.21.255.255 scope global eth0
       valid_lft forever preferred_lft forever

container3

370: veth7a1036d@if369: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-ea46af09b7f5 state UP group default 
    link/ether 06:2d:a5:4b:84:7e brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::42d:a5ff:fe4b:847e/64 scope link 
       valid_lft forever preferred_lft forever
Nicolas Henneaux
  • 121
  • 5
  • Try use `protocol all` instead `protocol ip` in the `filter add` construction. – Anton Danilov Jun 19 '19 at 14:55
  • Actually I have tested again with your recommendation, it was not working but then I checked again the virtual interface I was using andf I realize it was not working :| Thanks for the help anyway – Nicolas Henneaux Jun 20 '19 at 08:15
  • You're welcome. Describe the solution in the answer to help other. – Anton Danilov Jun 20 '19 at 08:18
  • Actually, I have tested to apply the rules on `container2` virtual interface and it was working. It's not really what I need in fact, I need to delay traffic of `container1` and this is not working (including when I use your advise `tc filter add dev veth90638b9 protocol all parent 1: prio 1 u32 match ip dst 172.21.0.2 flowid 1:1`) – Nicolas Henneaux Jun 20 '19 at 08:59

0 Answers0