Enable support for link-local address

[giggio]

I saw, according to the docs that docker-ipv6nat

defaults to ::, i.e. all IPv6 addresses

But I can't get it to work with link-local addresses. It binds and works fine with global unicast addresses, but not unique local ones. I tried setting com.docker.network.bridge.host_binding_ipv6 to a link-local address, and the logs even show it correctly, but it does not work.

This is what the logs showed (addresses and identifiers were changed on purpose for anonimity):

2020/11/10 01:47:16 rule added: -t filter -A DOCKER 5 -d fd00:dead:beef::100 ! -i br-49cdda3f1234 -o br-49cdda3f1234 -p tcp -m tcp --dport 80 -j ACCEPT
2020/11/10 01:47:16 rule added: -t nat -A POSTROUTING 9 -s fd00:dead:beef::100 -d fd00:dead:beef::100 -p tcp -m tcp --dport 80 -j MASQUERADE
2020/11/10 01:47:16 rule added: -t nat -A DOCKER 5 -d fe80::aaaa:aaaa:aaaa:dead -p tcp -m tcp --dport 80 -j DNAT --to-destination [fd00:dead:beef::100]:80

Do you there could be a way to implement it?

[robbertkl]

What does not work exactly? The incoming connections on your port?

• Does a ping6 from within your container (docker exec) to a destination outside (e.g. google.com) work?
• When you listen on a port on the host itself (so not in a container) using netcat/nc6 binding to the link-local address, can you connect to it?

[giggio]

I can't connect to the container. I'm using docker-ipv6nat with a PiHole.

When I don't use the parameter I can connect just fine using the global unicast address. The container is also able to do its job as a dns server, and can always connect to the internet using ipv6.

If I exec into the container, I can use nslookup and change it to use the ULA to resolve:

# nslookup
> server
Default server: 127.0.0.11
Address: 127.0.0.11#53
Default server: fd00:dead:beef::101
Address: fd00:dead:beef::101#53
> server fd00:dead:beef::101
Default server: fd00:dead:beef::101
Address: fd00:dead:beef::101#53
> gm.com
Server:     fd00:dead:beef::101
Address:    fd00:dead:beef::101#53

Non-authoritative answer:
Name:   gm.com
Address: 198.208.74.205
Name:   gm.com
Address: 198.208.73.147

When you listen on a port on the host itself (so not in a container) using netcat/nc6 binding to the link-local address, can you connect to it?

I haven't tried it. Is there a simple port forwarding I could try to make this easier?

Are link local address supposed to work, or do you think they are different somehow?

[giggio]

Ok, I got a simple repro you can try:

docker run --rm -d -p 8080:80 --name webtest busybox sh -c 'echo "Hello world!" > index.html && httpd -f -v'
IP6=`ip a show eth0 scope link | grep fe80:: | awk '{print $2}' | cut -d'/' -f1`
echo This does not work:
echo IP is $IP6
curl http://[$IP6]:8080
echo This works:
IP6=`ip a show eth0 scope global dynamic mngtmpaddr | grep inet6 | head -n 1 | awk '{print $2}' | cut -d'/' -f1`
echo IP is $IP6
curl http://[$IP6]:8080

The curl statement also works for me when calling a global unicast address from a different machine. And fails on the same host, or from a different machine, when calling a link local address.