I’m seeing something unexpected with docker network. I create a network as

docker network create \
    --attachable \
    --opt com.docker.network.bridge.name=warpeno4 \
    --opt com.docker.network.bridge.enable_ip_masquerade=false \
    --ipv6 --subnet fd00:6a4f:a007:15da::/64 \
    warpeno4

However, in my container (an https server) I see the source IP as [fd00:6a4f:a007:15da::1]. However, I would expect to see the actual source IP since “masq=false”. This works fine in IPv4 but appears to be broken in IPv6.

Best,
Brien

Not the response you are looking for, but you still might find interesting what the README.md of https://github.com/robbertkl/docker-ipv6nat writes about ivp6 in docker.

To close this out, there is some good background on userland-proxy at [1], which is the the service that handles port forwards to containers. Basically it masks the remote IP in several cases, including the case where incoming traffic is DNAT’d into the port forward. This was my case.

To work around this, simply DNAT to the container IP and port, ignoring the port forward. This can make it a little more complex to have to look up the container IP and write the ip6tables rule, but it preserves the remote IP.

e.g.

sudo ip6tables -t nat -A PREROUTING \
    -d dead:beef:a:b:c:d:e:f/128 -p tcp -m tcp --dport 443 \
    -j DNAT --to-destination [fd00:6a4f:a007:15da::2]:443

Where fd00:6a4f:a007:15da::2 is the container IPv6, e.g.

sudo docker inspect \
    '{{range.NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' \
    <container_id>

Best,
Brien

1. Networking - `userland-proxy` could better clarify impact · Issue #17312 · docker/docs · GitHub