Original ip6 is not passed to containers

[Likqez]

Description

The Docker bridge network does not provide the real IP address (or X-FORWARED-FOR header) to the container when connecting via ipv6.

Reproduce

1. Docker standalone host
2. Enable ipv6 in deamon.json and specify fixed-cidr-v6.
3. docker run -p 8080:80 --name nginx-text nginx
4. curl http://host:8080 from same and different host using v4
5. curl http://host:8080 from same and different host using v6
6. See logs

Expected behavior

See the real origin-v6-address in the logs, just like the v4s do.

docker version

Client:
 Version:           20.10.5+dfsg1
 API version:       1.41
 Go version:        go1.15.15
 Git commit:        55c4c88
 Built:             Mon May 30 18:34:49 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.5+dfsg1
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.15.15
  Git commit:       363e9a8
  Built:            Mon May 30 18:34:49 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.13~ds1
  GitCommit:        1.4.13~ds1-1~deb11u2
 runc:
  Version:          1.0.0~rc93+ds1
  GitCommit:        1.0.0~rc93+ds1-5+deb11u2
 docker-init:
  Version:          0.19.0
  GitCommit:

docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  compose: Docker Compose (Docker Inc., v2.12.2)
  scan: Docker Scan (Docker Inc., v0.21.0)

Server:
 Containers: 15
  Running: 15
  Paused: 0
  Stopped: 0
 Images: 32
 Server Version: 20.10.5+dfsg1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 1.4.13~ds1-1~deb11u2
 runc version: 1.0.0~rc93+ds1-5+deb11u2
 init version:
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.10.0-19-amd64
 Operating System: Debian GNU/Linux 11 (bullseye)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.771GiB
 Name: XXXXXXXX
 ID: QD6C:RCCA:GVGP:446C:7Y44:BDLP:6XFJ:N3QI:MJXT:FXYA:2EJN:PM3C
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

My result from accessing via v4 and v6 from diffrent hosts:
fd00:c0de::1 is the v6 gateway of the bridge network

x.x.x.28 - - [05/Nov/2022:00:38:33 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.74.0" "-"
x.x.x.30 - - [05/Nov/2022:00:38:37 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.74.0" "-"
fd00:c0de::1 - - [05/Nov/2022:00:38:21 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.74.0" "-"
fd00:c0de::1 - - [05/Nov/2022:00:38:23 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.74.0" "-"

[sam-thibault]

related issues:
#25526
#15086

[polarathene]

You did not enable ip6tables in daemon.json config. This is needed for retaining the remote client IP with IPv6 due to the NAT.

If you have trouble resolving this still, see detailed example here. It should explain things, along with a good reproducible example.

---

If your containers instead assigned IPv6 GUA addresses from the host /64 IPv6 subnet, you'd not need this as no NAT is required.

However there is various other issues external of docker that can affect the reliability and access of containers using IPv6 GUA, vs the IPv6 ULA subnet you've used that is akin to the IPv4 container network, both using private IP address range with NAT to public IP on another interface.

[Likqez]

Thank you. I will try Setting the ip6tables flag in daemon.json.

[akerouanton]

@Likqez Did the ip6tables parameter solved your issue?

[Likqez]

I can report, that adding the ip6tables attribute to daemon.json did resolve the issue!

For people wondering, ip6tables is still experimental and you need to set "experimental":true in order to use this feature!

My working daemon.json:

{
  "ipv6": true,
  "fixed-cidr-v6": "fd00:c0de::/64",
  "ip6tables": true,
  "experimental": true
}

Thank you, for your help <3