Skip to content

Networking docs fixes for moby 29 #23409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: moby29
Choose a base branch
from
+42 −4
Open

Networking docs fixes for moby 29 #23409

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6ec12e0
Engine: document com.docker.network.host_ipv4 / host_ipv6
robmry Sep 12, 2025
a2909ab
Engine: note that macvlan containers can't reach the host
robmry Sep 12, 2025
bfb53e1
Engine: fix mention of ipvlan-l2 in macvlan doc
robmry Sep 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions content/manuals/engine/network/drivers/bridge.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ The following table describes the driver-specific options that you can pass to
|-------------------------------------------------------------------------------------------------|-----------------------------|-----------------------------------------------------------------------------------------------------|
| `com.docker.network.bridge.name` | | Interface name to use when creating the Linux bridge. |
| `com.docker.network.bridge.enable_ip_masquerade` | `true` | Enable IP masquerading. |
| `com.docker.network.host_ipv4`<br/>`com.docker.network.host_ipv6` | | Address to use for source NAT. See [Packet filtering and firewalls](packet-filtering-firewalls.md). |
| `com.docker.network.bridge.gateway_mode_ipv4`<br/>`com.docker.network.bridge.gateway_mode_ipv6` | `nat` | Control external connectivity. See [Packet filtering and firewalls](packet-filtering-firewalls.md). |
| `com.docker.network.bridge.enable_icc` | `true` | Enable or Disable inter-container connectivity. |
| `com.docker.network.bridge.host_binding_ipv4` | all IPv4 and IPv6 addresses | Default IP when binding container ports. |
Expand Down
23 changes: 19 additions & 4 deletions content/manuals/engine/network/drivers/macvlan.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,13 @@
overlay (to communicate across multiple Docker hosts), these solutions may be
better in the long term.

- Containers attached to a macvlan network cannot communicate with the host
directly, this is a restriction in the Linux kernel. If you need communication
between the host and the containers, you can connect the containers to a
bridge network as well as the macvlan. It is also possible to create a
macvlan interface on the host with the same parent interface, and assign it
an IP address in the Docker network's subnet.

## Options

The following table describes the driver-specific options that you can pass to
Expand Down Expand Up @@ -94,15 +101,23 @@

### Use an IPvlan instead of Macvlan

In the above example, you are still using a L3 bridge. You can use `ipvlan`
instead, and get an L2 bridge. Specify `-o ipvlan_mode=l2`.
An `ipvlan` network created with option `-o ipvlan_mode=l2` is similar

Check failure on line 104 in content/manuals/engine/network/drivers/macvlan.md

View workflow job for this annotation

GitHub Actions / validate (vale) 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'IPvlan' instead of 'ipvlan'.

Raw Output:
{"message": "[Vale.Terms] Use 'IPvlan' instead of 'ipvlan'.", "location": {"path": "content/manuals/engine/network/drivers/macvlan.md", "range": {"start": {"line": 104, "column": 45}}}, "severity": "ERROR"}
to a macvlan network. The main difference is that the `ipvlan` driver
doesn't assign a MAC address to each container, the layer-2 network stack

Check failure on line 106 in content/manuals/engine/network/drivers/macvlan.md

View workflow job for this annotation

GitHub Actions / validate (vale) 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Mac' instead of 'MAC'.

Raw Output:
{"message": "[Vale.Terms] Use 'Mac' instead of 'MAC'.", "location": {"path": "content/manuals/engine/network/drivers/macvlan.md", "range": {"start": {"line": 106, "column": 18}}}, "severity": "ERROR"}
is shared by devices in the ipvlan network. So, containers use the parent
interface's MAC address.

Check failure on line 108 in content/manuals/engine/network/drivers/macvlan.md

View workflow job for this annotation

GitHub Actions / validate (vale) 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Mac' instead of 'MAC'.

Raw Output:
{"message": "[Vale.Terms] Use 'Mac' instead of 'MAC'.", "location": {"path": "content/manuals/engine/network/drivers/macvlan.md", "range": {"start": {"line": 108, "column": 13}}}, "severity": "ERROR"}

The network will see fewer MAC addresses, and the host's MAC address will be

Check failure on line 110 in content/manuals/engine/network/drivers/macvlan.md

View workflow job for this annotation

GitHub Actions / validate (vale) 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Mac' instead of 'MAC'.

Raw Output:
{"message": "[Vale.Terms] Use 'Mac' instead of 'MAC'.", "location": {"path": "content/manuals/engine/network/drivers/macvlan.md", "range": {"start": {"line": 110, "column": 58}}}, "severity": "ERROR"}

Check failure on line 110 in content/manuals/engine/network/drivers/macvlan.md

View workflow job for this annotation

GitHub Actions / validate (vale) 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'Mac' instead of 'MAC'.

Raw Output:
{"message": "[Vale.Terms] Use 'Mac' instead of 'MAC'.", "location": {"path": "content/manuals/engine/network/drivers/macvlan.md", "range": {"start": {"line": 110, "column": 28}}}, "severity": "ERROR"}
associated with the IP address of each container.

The choice of network type depends on your environment and requirements.
There are some notes about the trade-offs in the [Linux kernel
documentation](https://docs.kernel.org/networking/ipvlan.html#what-to-choose-macvlan-vs-ipvlan).

```console
$ docker network create -d ipvlan \
--subnet=192.168.210.0/24 \
--subnet=192.168.212.0/24 \
--gateway=192.168.210.254 \
--gateway=192.168.212.254 \
-o ipvlan_mode=l2 -o parent=eth0 ipvlan210
```

Expand Down
22 changes: 22 additions & 0 deletions content/manuals/engine/network/port-publishing.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,28 @@ For example:
> Changing the default bind address doesn't have any effect on Swarm services.
> Swarm services are always exposed on the `0.0.0.0` network interface.

### Masquerade or SNAT for outgoing packets

By default, if NAT is enabled for a bridge network, outgoing packets from
containers are masqueraded. This means the source address of packets
leaving the Docker host is changed to an address on the host interface
the packet is sent on.

Masquerading can be disabled for a user-defined bridge network by using
the `com.docker.network.bridge.enable_ip_masquerade` driver option when
creating the network. For example:
```console
$ docker network create mybridge \
-o com.docker.network.bridge.enable_ip_masquerade=false ...
```

To use a specific source address for outgoing packets for a user-defined
network, instead of letting masquerading select an address, use options
`com.docker.network.host_ipv4` and `com.docker.network.host_ipv6` to
specify the Source NAT (SNAT) address to use. The
`com.docker.network.bridge.enable_ip_masquerade` option must
be `true`, the default, for these options to have any effect.

### Default bridge

To set the default binding for the default bridge network, configure the `"ip"`
Expand Down
Loading