Policy Based Routing (pbr) and arbitrary docker container

mets · April 19, 2023, 5:03pm

Thank you to all those contributing to PBR for such a great addition to OpenWRT.

I'm looking for a bit of guidance. Background is I have a classic docker stack behind a traefik proxy. What I'd like to do is route any given container via pbr logic when it needs external endpoints (VPN vs ISP). The only way I've managed to roll this out is to give the container a static IP on the host network with macvlan. It seems a bit hacky to me as well as it will not scale.

I've tried to give the PBR rules using static IPs within the docker stack as well as a static mac address and/or hostname, but it seems all the layers before the traffic hits OpenWRT/PBR strip away what is needed.

I'd welcome any suggestions on what I may also try to remove the requirement of static IP assignments.

Many thanks!

mets · April 30, 2023, 11:48pm

Answering my own query here...basically you can piggyback in this manner:
https://scribe.froth.zone/@sruffilli/abusing-the-ip-dscp-flag-for-fun-and-no-profit-368174621311

stangri · May 1, 2023, 1:29am

Just to confirm, you ended up using DSCP tagging?

mets · May 1, 2023, 1:30am

I haven't yet, but this seems clear cut. Basically sidecar a container and adjust iptables then route through that container.

HTH

system · May 11, 2023, 1:30am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.