Skip to content

Commit cbb9be9

Browse files
robmryrobmry
committed
Describe gateway mode 'isolated'.
Signed-off-by: Rob Murray <[email protected]>
1 parent f99a4d6 commit cbb9be9

File tree

2 files changed

+19
-10
lines changed

2 files changed

+19
-10
lines changed

content/manuals/engine/network/drivers/bridge.md

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -105,16 +105,16 @@ flag.
105105
The following table describes the driver-specific options that you can pass to
106106
`--opt` when creating a custom network using the `bridge` driver.
107107

108-
| Option | Default | Description |
109-
|-------------------------------------------------------------------------------------------------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
110-
| `com.docker.network.bridge.name` | | Interface name to use when creating the Linux bridge. |
111-
| `com.docker.network.bridge.enable_ip_masquerade` | `true` | Enable IP masquerading. |
112-
| `com.docker.network.bridge.gateway_mode_ipv4`<br/>`com.docker.network.bridge.gateway_mode_ipv6` | `nat` | Enable NAT and masquerading (`nat`), or only allow direct routing to the container (`routed`). See [Packet filtering and firewalls](packet-filtering-firewalls.md). |
113-
| `com.docker.network.bridge.enable_icc` | `true` | Enable or Disable inter-container connectivity. |
114-
| `com.docker.network.bridge.host_binding_ipv4` | all IPv4 and IPv6 addresses | Default IP when binding container ports. |
115-
| `com.docker.network.driver.mtu` | `0` (no limit) | Set the containers network Maximum Transmission Unit (MTU). |
116-
| `com.docker.network.container_iface_prefix` | `eth` | Set a custom prefix for container interfaces. |
117-
| `com.docker.network.bridge.inhibit_ipv4` | `false` | Prevent Docker from [assigning an IP address](#skip-bridge-ip-address-configuration) to the bridge. |
108+
| Option | Default | Description |
109+
|-------------------------------------------------------------------------------------------------|-----------------------------|-----------------------------------------------------------------------------------------------------|
110+
| `com.docker.network.bridge.name` | | Interface name to use when creating the Linux bridge. |
111+
| `com.docker.network.bridge.enable_ip_masquerade` | `true` | Enable IP masquerading. |
112+
| `com.docker.network.bridge.gateway_mode_ipv4`<br/>`com.docker.network.bridge.gateway_mode_ipv6` | `nat` | Control external connectivity. See [Packet filtering and firewalls](packet-filtering-firewalls.md). |
113+
| `com.docker.network.bridge.enable_icc` | `true` | Enable or Disable inter-container connectivity. |
114+
| `com.docker.network.bridge.host_binding_ipv4` | all IPv4 and IPv6 addresses | Default IP when binding container ports. |
115+
| `com.docker.network.driver.mtu` | `0` (no limit) | Set the containers network Maximum Transmission Unit (MTU). |
116+
| `com.docker.network.container_iface_prefix` | `eth` | Set a custom prefix for container interfaces. |
117+
| `com.docker.network.bridge.inhibit_ipv4` | `false` | Prevent Docker from [assigning an IP address](#skip-bridge-ip-address-configuration) to the bridge. |
118118

119119
Some of these options are also available as flags to the `dockerd` CLI, and you
120120
can use them to configure the default `docker0` bridge when starting the Docker

content/manuals/engine/network/packet-filtering-firewalls.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,7 @@ Each of these can be set to one of the gateway modes:
152152
- `nat`
153153
- `nat-unprotected`
154154
- `routed`
155+
- `isolated`
155156

156157
The default is `nat`, NAT and masquerading rules are set up for each
157158
published container port. Packets leaving the host will use a host address.
@@ -193,6 +194,14 @@ should not be given. If a specific address or port is given, it will
193194
have no effect on the published port and a warning message will be
194195
logged.
195196

197+
Mode `isolated` can only be used when the network is also created with
198+
CLI flag `--internal`, or equivalent. An address is normally assigned to the
199+
bridge device in an `internal` network. So, processes on the docker host can
200+
access the network, and containers in the network can access host services
201+
listening on that bridge address (including services listening on "any" host
202+
address, `0.0.0.0` or `::`). No address is assigned to the bridge when the
203+
network is created with gateway mode `isolated`.
204+
196205
#### Example
197206

198207
Create a network suitable for direct routing for IPv6, with NAT enabled

0 commit comments

Comments
 (0)