Why do ping packets not reach a custom gateway in docker?

问题

The Story

I have the following virtual Docker network configuration:

 ...10.2        ...10.3 ...100.3        ...100.2
+------+            +-------+            +------+
| so_A +--so_net_a--+ so_AB +--so_net_b--+ so_B |
+------+ ...10.0/24 +-------+ ..100.0/24 +------+

Build with the setup script in the end of the question. Here so_A, so_AB and so_B are Debian containers; so_net_a and so_net_b are Docker networks (a recently added feature).

I want to make a router out of the middle container so_AB. For that I replace the default gateway in so_A with the ip of so_AB:

docker exec --privileged so_A ip route del default
docker exec --privileged so_A ip route add default via $AB_A_IP dev eth0

Then I run tcpdump on so_AB (in an extra terminal window):

docker attach so_AB
/# tcpdump -i eth0 -n

and ping some addresses from so_A. I do not understand, why when I ping an IP address from a completely unrelevant network, e.g.:

docker attach so_A
/# ping 192.168.200.2

so_AB receives ICMP packets (although by some reason from the default gateway 192.168.10.1, while I would expect them to come from the so_A ip 192.168.10.2), bun when I ping any address from the so_net_b subnet, e.g.:

/# ping 192.168.100.15

so_AB receives only ARP requiets, like ARP, Request who-has 192.168.10.3 tell 192.168.10.2, length 28.

ip route get shows that so_A uses the so_AB as a first-hop for both addresses.

Question

Why do the ping packets for the relevant IP addresses not reach the custom-set default gateway, while the non-relevant ones do?

Setup

I use the latest Docker version: 1.9.1, build a34a1d5 on my 64bit ubuntu 14.04.

Here is a setup script to reproduce the issue:

docker network create --driver=bridge --subnet=192.168.10.0/24 so_net_a
docker network create --driver=bridge --subnet=192.168.100.0/24 so_net_b

# Network topology:
# +------+            +-------+            +------+
# | so_A +--so_net_a--+ so_AB +--so_net_b--+ so_B |
# +------+            +-------+            +------+

docker run -itd --name=so_A --net=so_net_a debian /bin/bash
docker run -itd --name=so_B --net=so_net_b debian /bin/bash
docker run -itd --name=so_AB --net=so_net_a debian /bin/bash
docker network connect so_net_b so_AB

docker exec so_AB sh -c 'apt-get update && apt-get install -y tcpdump'

AB_A_IP=`docker inspect -f '{{.NetworkSettings.Networks.so_net_a.IPAddress}}' so_AB`
B_IP=`docker inspect -f '{{.NetworkSettings.Networks.so_net_b.IPAddress}}' so_B`

# Change the default gateway to so_AB
docker exec --privileged so_A ip route del default
docker exec --privileged so_A ip route add default via $AB_A_IP dev eth0

# Normally should be 192.168.100.2
echo $B_IP

来源：https://stackoverflow.com/questions/34440097/why-do-ping-packets-not-reach-a-custom-gateway-in-docker