Docker Community Forums

Share and learn in the Docker community.

IPV6 UDP traffic source IP is lost to container after going thru docker-proxy

Docker Engine Version: Version: 18.09.7
OS/Arch: linux/amd64

Problem Summary: IPV6 UDP traffic source IP is lost to container after going thru docker-proxy and replaced by Docker IPV4 gateway instead. This works fine for IPV4 traffic.

Details:

We have configured docker engine with IPV6 as below

–ipv6=true --fixed-cidr-v6=2001:db8:1::/64

Docker engine is successfully configured with IPV6 and I can see containers assigned with both IPV4 and IPV6 and able to ping container each other with IPV6 address. It looks like docker engine is properly configured.

docker network inspect 147db54b3724

[
{
“Name”: “bridge”,
“Id”: “147db54b3724819d9be3c88653b38af8e2b7149be0bdef978bc2a1a9a6bb80b0”,
“Created”: “2019-12-12T14:28:31.423033004Z”,
“Scope”: “local”,
“Driver”: “bridge”,
“EnableIPv6”: true,
“IPAM”: {
“Driver”: “default”,
“Options”: null,
“Config”: [
{
“Subnet”: “172.17.0.0/16”,
“Gateway”: “172.17.0.1”
},
{
“Subnet”: “2001:db8:1::/64”,
“Gateway”: “2001:db8:1::1”
}
]
},
“Internal”: false,
“Attachable”: false,
“Ingress”: false,
“ConfigFrom”: {
“Network”: “”
},
“ConfigOnly”: false,
“Containers”: {
“c0ef5b011e7002ed74decca013f844f650b31091e1d76af1db80dc0d0bc4b225”: {
“Name”: “70f3c6a9085d46378c95d9e00fd45620_gnmiclient”,
“EndpointID”: “4c07e01214e5e6cf38eb97a733a953361580b962eabecc79b26550abf95fcca2”,
“MacAddress”: “02:42:ac:11:00:03”,
“IPv4Address”: “172.17.0.3/16”,
“IPv6Address”: “2001:db8:1::242:ac11:3/64”
},
“efd60d2a684e04899a0a2edfdcc271375a1be3a316364bb56ce3f8921d493ac9”: {
“Name”: “registrator”,
“EndpointID”: “5341d84026b8944e818d54847848f44e56bcea8b68337d05f6bcbacbb092281c”,
“MacAddress”: “02:42:ac:11:00:02”,
“IPv4Address”: “172.17.0.2/16”,
“IPv6Address”: “2001:db8:1::242:ac11:2/64”
},
“fe0e0c71b0fc6e7a485ea20e0c89fd92cab853635f7d80532977cf6bc10a989f”: {
“Name”: “9f807e3806ce47c0b890dc603ed4acb5_syslog-collector”,
“EndpointID”: “e76e0f67d70f374923fef24d37baa4990216532d1b7be6c3b6587f08448f1edc”,
“MacAddress”: “02:42:ac:11:00:04”,
"IPv4Address": “172.17.0.4/16”,
** “IPv6Address”: “2001:db8:1::242:ac11:4/64”**
}
},
“Options”: {
“com.docker.network.bridge.default_bridge”: “true”,
“com.docker.network.bridge.enable_icc”: “true”,
“com.docker.network.bridge.enable_ip_masquerade”: “true”,
“com.docker.network.bridge.host_binding_ipv4”: “0.0.0.0”,
“com.docker.network.bridge.name”: “docker0”,
“com.docker.network.driver.mtu”: “1400”
},
“Labels”: {}
}
]

We are running Syslog container listening on UDP port which will process syslog messages from different sources on both IPV4 and IPV6

IPV4 Case works fine and it retains source ip with out any issue. It fails for IPV6 traffic

Simulating IPV4 traffic from Source VM:

tail -1 /home/wa998j/ipag.txt|nc -u -w 0 2x.6x.2xx.156 1578

On Target Docker host:

When running tcpdump , it shows the traffic received on Source ip which is 2x.6x.2xx.155 to container ip (172.17.0.4).

root@2x.6x.2xx.156:slight_smile: tcpdump -A -s0 -i any -nn port 1578
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
19:39:48.084041 IP 2x.6x.2xx.155.58097 > 2x.6x.2xx.156.1578: UDP, length 127
E…e.@.@… D… D…*…f.<185>Jan 16 12:51:10 buaga301ia2 alarmd[14008]: Alarm cleared: Pwr supply color=YELLOW, class=CHASSIS, reason=PEM 1 Fan Failed

19:39:48.084179 IP 2x.6x.2xx.155.58097 > 172.17.0.4.1578: UDP, length 127
E…e.@.?.6. D…*…<185>Jan 16 12:51:10 buaga301ia2 alarmd[14008]: Alarm cleared: Pwr supply color=YELLOW, class=CHASSIS, reason=PEM 1 Fan Failed

19:39:48.084192 IP 2x.6x.2xx.155.58097 > 172.17.0.4.1578: UDP, length 127
E…e.@.?.6. D…*…<185>Jan 16 12:51:10 buaga301ia2 alarmd[14008]: Alarm cleared: Pwr supply color=YELLOW, class=CHASSIS, reason=PEM 1 Fan Failed

19:39:48.084203 IP 2x.6x.2xx.155.58097 > 172.17.0.4.1578: UDP, length 127
E…e.@.?.6. D…*…<185>Jan 16 12:51:10 buaga301ia2 alarmd[14008]: Alarm cleared: Pwr supply color=YELLOW, class=CHASSIS, reason=PEM 1 Fan Failed

19:39:48.084212 IP 2x.6x.2xx.155.58097 > 172.17.0.4.1578: UDP, length 127
E…e.@.?.6. D…*…<185>Jan 16 12:51:10 buaga301ia2 alarmd[14008]: Alarm cleared: Pwr supply color=YELLOW, class=CHASSIS, reason=PEM 1 Fan Failed

Failed Scenario: Simulating IPV6 traffic from Source VM:

tail -1 /home/wa998j/ipag.txt|nc -6 -u -w 0 2001:18xx:e0xx:1032::5 1578

On Target Docker host:

When running tcpdump , it shows the traffic received on Source ip which is 2001:18xx:e0xx:1032::4 to Docker host on IPV6 and then docker-engine translated IPV6 source ip to Docker default gateway ip address (172.17.0.1).

root@# tcpdump -A -s0 -i any -nn port 1578
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
19:50:51.687306 IP6 2001:18xx:e0xx:1032::4.48010 > 2001:18xx:e0xx:1032::5.1578: UDP, length 127
`…@ …2… …2…*…"/<185>Jan 16 12:51:10 buaga301ia2 alarmd[14008]: Alarm cleared: Pwr supply color=YELLOW, class=CHASSIS, reason=PEM 1 Fan Failed

19:50:51.688001 IP 172.17.0.1.53121 > 172.17.0.4.1578: UDP, length 127
E…2@.@…*…X.<185>Jan 16 12:51:10 buaga301ia2 alarmd[14008]: Alarm cleared: Pwr supply color=YELLOW, class=CHASSIS, reason=PEM 1 Fan Failed

19:50:51.688057 IP 172.17.0.1.53121 > 172.17.0.4.1578: UDP, length 127
E…2@.@…*…X.<185>Jan 16 12:51:10 buaga301ia2 alarmd[14008]: Alarm cleared: Pwr supply color=YELLOW, class=CHASSIS, reason=PEM 1 Fan Failed

I tried installing latest conntrack 1.4.5 and flushed it too. What configuration we need to do allow ipv6 traffic to retain source ip and allow to pass thru Docker IPV6 gateway . Appreciate if anyone can provide pointers to this issue.