Docker network --ipv6 still uses masq

I’m seeing something unexpected with docker network. I create a network as

docker network create \
    --attachable \
    --opt \
    --opt \
    --ipv6 --subnet fd00:6a4f:a007:15da::/64 \

However, in my container (an https server) I see the source IP as [fd00:6a4f:a007:15da::1]. However, I would expect to see the actual source IP since “masq=false”. This works fine in IPv4 but appears to be broken in IPv6.


Not the response you are looking for, but you still might find interesting what the of writes about ivp6 in docker.

To close this out, there is some good background on userland-proxy at [1], which is the the service that handles port forwards to containers. Basically it masks the remote IP in several cases, including the case where incoming traffic is DNAT’d into the port forward. This was my case.

To work around this, simply DNAT to the container IP and port, ignoring the port forward. This can make it a little more complex to have to look up the container IP and write the ip6tables rule, but it preserves the remote IP.


sudo ip6tables -t nat -A PREROUTING \
    -d dead:beef:a:b:c:d:e:f/128 -p tcp -m tcp --dport 443 \
    -j DNAT --to-destination [fd00:6a4f:a007:15da::2]:443

Where fd00:6a4f:a007:15da::2 is the container IPv6, e.g.

sudo docker inspect \
    '{{range.NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' \


  1. Networking - `userland-proxy` could better clarify impact · Issue #17312 · docker/docs · GitHub