DOCKER-USER chain for ip6tables

rimelek · January 10, 2023, 11:59pm

I have read your question 3 days ago and it was clear to me, but don’t use IPv6 for containers so I was waiting for someone who uses IPv6. Now I checked the documentation and also searched for “ipv6 iptables docker” and I found that ipv6 iptables rules are not enabled by default and that is still an experimental feature.

--iptables          Enable addition of iptables rules (default true)
--ip6tables         Enable addition of ip6tables rules (default false)

When you enable ip6tables you also need

--experimental      Enable experimental features

Or in the daemon json

{
    "experimental": true,
    "ipv6": true,
    "ip6tables": true,
    "fixed-cidr-v6": "fd9e:63ac:6dcd::/48"
}

My first source where I found this json before checking the docs:

github.com/moby/moby

Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes

opened 09:28PM - 06 Jan 21 UTC

closed 04:43PM - 29 Mar 21 UTC

fnkr

kind/bug area/networking version/20.10

**Description** I'm trying to enable IPv6 NAT for the default bridge network. If the `ip6tables` daemon option is enabled, Docker tries to add an IPv6 NAT rule using `iptables`, which fails because `ip6tables` should be used instead. Related to https://github.com/moby/moby/pull/41622. **Steps to reproduce the issue:** 1. Update `/etc/docker/daemon.json`: ```json { "experimental": true, "ipv6": true, "ip6tables": true, "fixed-cidr-v6": "fd9e:63ac:6dcd::/48" } ``` 2. Restart Docker: `sudo systemctl stop docker; sudo ip link del docker0; sudo systemctl start docker` 3. Docker daemon crashed during start. ``` # sudo journalctl -u docker dockerd[11587]: failed to start daemon: Error initializing network controller: Error creating default "bridge" network: Failed to Setup IP tables: Unable to enable NAT rule: (COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -I POSTROUTING -s fd9e:63ac:6dcd::/48 ! -o docker0 -j MASQUERADE' failed: iptables v1.8.5 (legacy): invalid mask `48' specified ``` **Describe the results you received:** Docker tries to run the following command, which fails and Docker crashes: ``` /usr/sbin/iptables -w10 -t nat -I POSTROUTING -s fd9e:63ac:6dcd::/48 ! -o docker0 -j MASQUERADE ``` **Describe the results you expected:** Docker should run the command using `ip6tables` instead: ``` /usr/sbin/ip6tables -w10 -t nat -I POSTROUTING -s fd9e:63ac:6dcd::/48 ! -o docker0 -j MASQUERADE ``` **Additional information you deem important (e.g. issue happens only occasionally):** If I remove the `ip6tables` option from `daemon.json`, restart Docker and run the fixed command from above (using `ip6tables`), IPv6 NAT works: ``` ➜ docker run --rm -it alpine ping -c 4 2606:4700:4700::1111 PING 2606:4700:4700::1111 (2606:4700:4700::1111): 56 data bytes 64 bytes from 2606:4700:4700::1111: seq=0 ttl=63 time=5.24 ms 64 bytes from 2606:4700:4700::1111: seq=1 ttl=63 time=5.40 ms 64 bytes from 2606:4700:4700::1111: seq=2 ttl=63 time=5.44 ms 64 bytes from 2606:4700:4700::1111: seq=3 ttl=63 time=5.46 ms --- fde0:8899:8672:1::1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 5.236/5.381/5.456 ms ``` **Output of `docker version`:** ``` Client: Docker Engine - Community Version: 20.10.2 API version: 1.41 Go version: go1.13.15 Git commit: 2291f61 Built: Mon Dec 28 16:18:35 2020 OS/Arch: linux/amd64 Context: default Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.2 API version: 1.41 (minimum version 1.12) Go version: go1.13.15 Git commit: 8891c58 Built: Mon Dec 28 16:15:44 2020 OS/Arch: linux/amd64 Experimental: true containerd: Version: 1.4.3 GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b runc: Version: 1.0.0-rc92 GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff docker-init: Version: 0.19.0 GitCommit: de40ad0 ``` **Output of `docker info`:** ``` Client: Context: default Debug Mode: false Plugins: app: Docker App (Docker Inc., v0.9.1-beta3) buildx: Build with BuildKit (Docker Inc., v0.5.1-docker) Server: Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 13 Server Version: 20.10.2 Storage Driver: btrfs Build Version: Btrfs v5.9 Library Version: 102 Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc Default Runtime: runc Init Binary: docker-init containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff init version: de40ad0 Security Options: seccomp Profile: default cgroupns Kernel Version: 5.9.16-200.fc33.x86_64 Operating System: Fedora 33 (Workstation Edition) OSType: linux Architecture: x86_64 CPUs: 8 Total Memory: 39.07GiB Name: redacted ID: S5VU:MHDD:7D2V:YPGW:IOU2:AUQG:DMYS:IJ3Y:IRZD:5MWB:DBV4:PRR2 Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: true Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false Default Address Pools: Base: 100.96.0.0/16, Size: 24 WARNING: No kernel memory TCP limit support WARNING: No oom kill disable support WARNING: Support for cgroup v2 is experimental ``` **Additional environment details (AWS, VirtualBox, physical, etc.):** Physical (Notebook)

Topic		Replies	Views
Docker and IPv6 General docker	0	718	January 7, 2021
Add new iptables rules to Docker General	5	3140	June 5, 2024
Add user chains for prerouting and postrouting chains General	0	703	December 26, 2018
Docker tries to create a chain on table nat with ip6tables (but there's no nat table on ipv6) [SOLVED] General docker-compose , networking , linux	6	758	February 8, 2025
IPv6 with docker routing question General	1	1184	September 24, 2018

DOCKER-USER chain for ip6tables

Related topics