search

robbertkl / docker-ipv6nat

Extend Docker with IPv6 NAT, similar to IPv4
MIT License
662 stars 48 forks source link

ADDRTYPE rules are missing in POSTROUTING NAT chain #40

Closed bephinix closed 5 years ago

bephinix commented 5 years ago

Current IPv4 POSTROUTING chain:

Chain POSTROUTING (policy ACCEPT 463 packets, 28696 bytes)
 pkts bytes target      prot opt in     out         source              destination         
    2    88 MASQUERADE  all  --  *      docker0     0.0.0.0/0           0.0.0.0/0            ADDRTYPE match src-type LOCAL
    0     0 MASQUERADE  all  --  *      !docker0    172.25.1.0/24       0.0.0.0/0           
    3   128 MASQUERADE  all  --  *      dckrMyNet   0.0.0.0/0           0.0.0.0/0            ADDRTYPE match src-type LOCAL
    0     0 MASQUERADE  all  --  *      !dckrMyNet  172.25.2.0/24       0.0.0.0/0

Current IPv6 POSTROUTING chain:

Chain POSTROUTING (policy ACCEPT 74 packets, 5932 bytes)
 pkts bytes target      prot opt in     out           source              destination         
    0     0 MASQUERADE  all      *      !dckrMyNet    fddd:0:0:2::/64     ::/0                
    0     0 MASQUERADE  all      *      !dckrDefault  fddd:0:0:1:/64      ::/0

As you can see, for each masqueraded network the ADDRTYPE match src-type LOCAL rule is missing.

These missing roules will masquerade packets when they enter the network bridge. We should copy this, so Docker's IPv4 and Docker's IPv6 share the same behavior.

bephinix commented 5 years ago

Update: ADDRTYPE match src-type LOCAL rules are always added, if the network is not internal. It does not matter if the network is masqueraded or not. PR was updated.