SNAT support for controlling source IP of outgoing connections

[rhansen]

Would it be possible to add support for SNAT (as a configurable alternative to MASQUERADE) so that I can control the source IP address used in outgoing connections made from the container?

Background: I manage a VPS as an email server, and it has multiple IPv6 addresses. The server's primary IPv6 address is in a /64 shared with numerous other VPSs managed by other customers. Some of those admins are less fastidious than me, which has resulted in the entire /64 being added to DNS block lists such as zen.spamhaus.org. Thus, all of my outgoing SMTP connections must come from an IP address in a separate /64 that is used by me alone. (I can't remove the primary IPv6 address due to integrations with the VPS service provider.)

I think other projects would benefit from this, for example mailcow (which I don't use; I just came across it while looking for an existing SNAT example). mailcow uses docker-ipv6nat and has its own custom logic to add support for IPv4 and IPv6 SNAT. Perhaps they could eliminate some of their code if SNAT support was added here.

[rhansen]

I think that if a user sets the undocumented com.docker.network.host_ipv4 label then the Docker bridge driver will do SNAT for with the specified IPv4 address. There doesn't appear to be an IPv6 equivalent, though it looks like it would not be difficult to add—most of the infrastructure is already in place.

[rhansen]

I opened moby/moby#46469 to add this feature to Docker.