Docker - traffic mirroring

Question

I have 2 different running containers. I'd like to be able to mirror traffic that comes to container #1 into container #2.

Is there a docker command for this?

Answer 1

Traffic mirroring is possible on linux interfaces, I don't believe docker provides a method for setting that up though. The mirroring should work via the veth interfaces docker sets up for each container, if you add it manually.

Traffic Control

tc allows you to manage traffic in a number of ways, normally used for quality of service type queuing. tc also provides a mirror action. The following matches all inbound and outbound traffic and mirrors it to another interface.

tc qdisc add dev vethb692b75@if13 ingress
tc filter add dev vethb692b75@if13 parent ffff: \
   protocol all prio 2 u32 \
   match u32 0 0 flowid 1:1 \
   action mirred egress mirror dev veth4305fdd@if15

tc qdisc replace dev vethb692b75@if13 parent root handle 10: prio
tc filter add dev vethb692b75@if13 parent 10: \
   protocol all prio 2 u32 \
   match u32 0 0 flowid 10:1 \
   action mirred egress mirror dev veth4305fdd@if15

IP Tables

iptables can forward cloned packets to a routable host. This would normally be used to mirror traffic to an external host.

iptables -t mangle -I PREROUTING -i vethb692b75@if13 -j TEE --gateway <monitor_ip>
iptables -t mangle –I POSTROUTING -i vethb692b75@if13 -j TEE --gateway <monitor_ip>

tcpdump

As most network monitoring software in the linux world deals in tcpdump, you may also be able to tcpdump the interface from the host into a fifo that is mounted into your monitoring container.

mkfifo /tmp/remotecapture.fifo 
tcpdump -s 0 -n -w - -U -i vethb692b75@if13 > /tmp/remotecapture.fifo
docker run -v /tmp/remotecapture.fifo:/tmp/remotecapture.fifo <image> netmonitor -f /tmp/remotecapture.fifo

Notes

The veth names are assigned to each container startup so capturing would need to be part of your container start/stop process. You want to remove any rules on a container stop.

In the cases where traffic is forwarded somewhere, the recipient container/host should not be routing any of these packets back or to their original destination.

Answer 2

If would be easier to setup container#2 as a reverse proxy for container#1

That means container#2 see all traffic and send it to container#1

You can use as container#2 traefik.io/. It is meant for load balancing, but in your case, you could define only one backend (so no load balancing there) referencing container#1.
You can build a traefik container quite easily (see this Dockerfile for instance, for arm architecture)