IPv6 ingress traffic is DNATed by docker-proxy

It seems that for some reason the docker-proxy destination-NATs ingress ipv6 traffic while not doing the same for ipv4 traffic.

This behavior is quite confusing.

How to reproduce:

Setup on machine 1 (assuming it has addresses 192.168.1.2 and 2a57::2):

``` bash
docker network create --ipv6 --subnet 2001:db8:6::/64 my_ipv6_network
docker run --publish 80:80 --network my_ipv6_network traefik/whoami
```

Then on machine 2 (assuming it has addresses 192.168.1.3 and 2a57::3) run:

```
curl "http://192.168.1.2"
curl "http://[2a57::2]"
```

Output for ipv4:

```text
Hostname: 0e28009b4a10
IP: 127.0.0.1
IP: ::1
IP: 172.XXX.XXX.XXX
IP: 2001:db8:6::2
IP: fe80::XXXX
RemoteAddr: 192.168.1.3:33714
GET / HTTP/1.1
Host: 192.168.1.2
User-Agent: curl/7.68.0
Accept: */*
```

Output for ipv6:

```text
Hostname: 0e28009b4a10
IP: 127.0.0.1
IP: ::1
IP: 172.XXX.XXX.XXX
IP: 2001:db8:6::2
IP: fe80::XXXX
RemoteAddr: [2001:db8:6::1]:48142
GET / HTTP/1.1
Host: [2a57::2]
User-Agent: curl/7.68.0
Accept: */*
```

Expected output for ipv6 (note RemoteAddr):

```text
Hostname: 0e28009b4a10
IP: 127.0.0.1
IP: ::1
IP: 172.XXX.XXX.XXX
IP: 2001:db8:6::2
IP: fe80::XXXX
RemoteAddr: [2a57::3]:48142
GET / HTTP/1.1
Host: [2a57::2]
User-Agent: curl/7.68.0
Accept: */*
```

Docker configuration in `daemon.json`:

```json
{
    "ipv6": true,
    "fixed-cidr-v6": "2001:db8::/64"
}
```

Version:

```text
Docker version 20.10.5-ce, build 363e9a88a11b
```

As a sanity check, I checked using iptables that the dnat is not happening on the host before the docker-proxy.

```bash
sudo ip6tables -t security -A INPUT -p tcp --destination-port 80 -j LOG
```

this produced the following log messages:

```log
kernel: IN=wlXXX OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=2a57::3 DST=2a57::2 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=859264 PROTO=TCP SPT=60398 DPT=80 WINDOW=64800 RES=0x00 SYN URGP=0 
kernel: IN=wlXXX OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=2a57::3 DST=2a57::2 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=859264 PROTO=TCP SPT=60398 DPT=80 WINDOW=507 RES=0x00 ACK URGP=0 
kernel: IN=wlXXX OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=2a57::3 DST=2a57::2 LEN=174 TC=0 HOPLIMIT=64 FLOWLBL=859264 PROTO=TCP SPT=60398 DPT=80 WINDOW=507 RES=0x00 ACK PSH URGP=0 
kernel: IN=wlXXX OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=2a57::3 DST=2a57::2 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=859264 PROTO=TCP SPT=60398 DPT=80 WINDOW=505 RES=0x00 ACK URGP=0 
kernel: IN=wlXXX OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=2a57::3 DST=2a57::2 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=859264 PROTO=TCP SPT=60398 DPT=80 WINDOW=505 RES=0x00 ACK FIN URGP=0 
kernel: IN=wlXXX OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=2a57::3 DST=2a57::2 LEN=72 TC=0 HOPLIMIT=64 FLOWLBL=859264 PROTO=TCP SPT=60398 DPT=80 WINDOW=505 RES=0x00 ACK URGP=0 
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IPv6 ingress traffic is DNATed by docker-proxy #2628

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

IPv6 ingress traffic is DNATed by docker-proxy #2628

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions