Fix IPv6 Port Forwarding for the Bridge Driver

[arkodg]

1. Allocate either a IPv4 and/or IPv6 Port Binding (HostIP, HostPort, ContainerIP,
   ContainerPort) based on the input and system parameters
2. Update the userland proxy as well as dummy proxy (inside port mapper) to
   specifically listen to either the IPv4 or IPv6 network

Signed-off-by: Arko Dasgupta arko.dasgupta@docker.com

[arkodg]

cc @bboehmke

[bboehmke]

The implementation looks far better and cleaner as my try.

[bboehmke]

Is it necessary to set containerIPv6 explicit to nil?

var containerIPv6 net.IP should already be nil by default

[arkodg]

ack, thanks

[bboehmke]

The EnableIP6Tables check was removed completely.

Is there anything that prevents a creation of ip6tables rules in AppendForwardingTableEntry of the portmapper if EnableIP6Tables is not set?

[arkodg]

If

libnetwork/drivers/bridge/setup_ip_tables.go

Line 184 in 5c6a95b

n.portMapperV6.SetIptablesChain(natChain, n.getNetworkBridgeName())

is skipped, pm.chain will be nil and will skip the iptables programming

libnetwork/portmapper/mapper_linux.go

Line 42 in 5c6a95b

if pm.chain == nil {

[bboehmke]

oh I see. That is for sure far cleaner than before.

[bboehmke]

LGTM

[arkodg]

thanks @bboehmke can you please formally approve the PR, so I can merge it and vendor it into moby/moby

[thaJeztah]

@arkodg curious: would this be an issue? https://twitter.com/bradfitz/status/1341979944151207937?s=20

golang/go#37921

[arkodg]

we currently don't support IPv4-mapped IPv6 addresses today, we build out a separate ipv4 and ipv6 stack

[vin01]

1. Allocate either a IPv4 and/or IPv6 Port Binding (HostIP, HostPort, ContainerIP,
   ContainerPort) based on the input and system parameters

2. Update the userland proxy as well as dummy proxy (inside port mapper) to
   specifically listen to either the IPv4 or IPv6 network

Signed-off-by: Arko Dasgupta arko.dasgupta@docker.com

This looks like a breaking change since until now docker-proxy has been binding to both v4 and v6 addresses if both are available on the system which I believe made sense.

[fbezdeka]

According to the Changelog [1] this is the only network related change in 20.10.2.
Now my IPv6 port forwarding is completely broken.
Downgrading to 20.10.1 fixed it.

There are no docker-proxy processes started. 20.10.1 starts a process for each port-forwarding.

Example:

sudo docker run \
    --hostname gitlab \
    --env 'GITLAB_PORT=443' \
    --env 'GITLAB_HTTPS=true' \
    --publish [<ip>]:2222:22 \
    --publish [<ip>]:8080:80 \
    --publish [<ip>]:8443:443 \
    --name gitlab \
    --restart always \
    --volume /srv/gitlab/config:/etc/gitlab:Z \
    --volume /srv/gitlab/logs:/var/log/gitlab:Z \
    --volume /srv/gitlab/data:/var/opt/gitlab:Z \
    gitlab/gitlab-ce:latest

[1] https://docs.docker.com/engine/release-notes/

[pokotiX]

According to the Changelog [1] this is the only network related change in 20.10.2.
Now my IPv6 port forwarding is completely broken.
Downgrading to 20.10.1 fixed it.

There are no docker-proxy processes started. 20.10.1 starts a process for each port-forwarding.

Example:

sudo docker run \
    --hostname gitlab \
    --env 'GITLAB_PORT=443' \
    --env 'GITLAB_HTTPS=true' \
    --publish [<ip>]:2222:22 \
    --publish [<ip>]:8080:80 \
    --publish [<ip>]:8443:443 \
    --name gitlab \
    --restart always \
    --volume /srv/gitlab/config:/etc/gitlab:Z \
    --volume /srv/gitlab/logs:/var/log/gitlab:Z \
    --volume /srv/gitlab/data:/var/opt/gitlab:Z \
    gitlab/gitlab-ce:latest

[1] https://docs.docker.com/engine/release-notes/

I confirm, I have the same problem

[arkodg]

@pokotiV @fbezdeka @vin01 can you please raise a separate issue to discuss this
thanks

[terencehonles]

@pokotiV @fbezdeka @vin01 can you please raise a separate issue to discuss this
thanks

@arkodg done in #2607 (I believe the title captures the problem that everyone was seeing (it does mine))