Make it possible to set default gateway for internal networks

[EugenDueck]

Tell us about your request

For non-internal networks, the default gateway can be set like so:

networks:
  my-network:
    driver: bridge
    ipam:
      config:
        - subnet: 172.27.0.0/16
          gateway: 172.27.0.1

However when setting internal: true, the default gateway of the network will not be set. I guess that is because for internal networks, docker does not setup a gateway.

Now I would like to setup my own gateway in another container that is also connected to this network, and that would do ip forwarding to another network.
But in order for this to work, I now have to manually set the default gateway of those other containers, and random containers may not come with the ip or route commands.

Which service(s) is this request for?

docker (and compose)

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

I want to setup a container that I can configure with a whitelist of ip addresses that another, untrusted container is allowed to access. This would allow me to use untrusted containers on an internal network with explicit exceptions, which would make it much more secure than using a completely open network.

Are you currently working around the issue?

Here's one workaround using Docker-in-Docker that is working, but I'd like to avoid using dind, for well-known reasons:

• set up a docker:dind container that enforces the ip whitelist using iptables
• mount a docker-compose.yml inside the dind container for the untrusted container(s)
• have the dind container mangle the docker-compose.yml so that it uses network_mode = host and disables port mappings
• necessary port mappings need to have been added to the dind container
• start the docker-compose.yml inside the dind container