From what I can tell, in newer kernels hairpin NAT is the way to go and eliminates the need for the docker-proxy process when publishing ports. When doing testing, I tell Docker not to use the proxy by passing it this config flag ‘–userland-proxy=false’. When I do that it appears to make the right kernel parameter configuration changes and I see that route_localnet parameter for the docker0 bridge gets enabled.
Most testing in this configuration seems to work. I can access published ports from outside the Docker host and I can access them locally by using the Docker host’s IP address. However - I can not access them by using ‘localhost:portnumber’ like I can when using docker-proxy.
Is this intended behavior? Im on Docker 1.10 and on an Ubunutu 14.04 box.
I cant find any clarification if this should or should not work.