search

robbertkl / docker-ipv6nat

Extend Docker with IPv6 NAT, similar to IPv4
MIT License
662 stars 48 forks source link

Use two isolation stages for docker networks #38

Closed bephinix closed 5 years ago

bephinix commented 5 years ago

This MR implements an IPv6 version of docker/libnetwork#2117.

Fixes #22 Closes #22

/cc @robbertkl

bephinix commented 5 years ago

@robbertkl It even simplifies the code base!

bephinix commented 5 years ago

@robbertkl I had to change two rules for internal networks.

If use the same dropping rules for internal IPv6 networks as we do for IPv4, we will end with these rules:

    0     0 DROP       all      *      dckrNet1 !fddd:0:0:11::/64     ::/0                
    0     0 DROP       all      dckrNet1 *       ::/0                !fddd:0:0:11::/64

This also blocks Neighbor Discovery Protocol (counterpart to ARP for IPv4) so ICC will not be possible - even when it is enabled. As a solution we should not check for a specific address but for input and output interfaces:

    0     0 DROP       all      dckrNet1 !dckrNet1  ::/0                 ::/0                
    0     0 DROP       all      !dckrNet1 dckrNet1  ::/0                 ::/0

With these rules NDP packets will not be dropped and if you can still decide with the ICC flag if you want to allow ICC.

Commit: 4fba810337a632db042e8622e30760b8299cd1cc