Description
On a system running Docker 27.1.2 alongside with KVM/libvirt with it's own separate bridge, I've observed that IPv6 stopped working in virtual machines. It turns out that all IPv6 multicast packets don't make it through the bridge.
Ultimately, disabling filtering helped:
sysctl -w net.bridge.bridge-nf-call-ip6tables=0
I then was able to pinpoint Docker to be responsible. It seems that Docker adds a default DROP rule in the FORWARDING chain:
# ip6tables -L
...
Chain FORWARD (policy DROP)
...
When not starting Docker (or with ip6tables disabled), the default value of ACCEPT makes IPv6 in virtual machines just work fine.
I've also noticed that the IPv4 FORWARD chain uses default ACCEPT.
Is the DROP for the IPv6 FORWARD chain intentional/required?
Reproduce
- Check
ip6tables -L and observe the default for FORWARD rule is ACCEPT
- Start docker with
--ip6tables true
- Check
ip6tables -L and observe new default for FORWARD rule.
Expected behavior
No response
docker version
Client:
Version: 27.1.2
API version: 1.46
Go version: go1.23.0
Git commit: d01f264bcc
Built: Sun Aug 18 14:43:14 2024
OS/Arch: linux/amd64
Context: default
Server:
Engine:
Version: 27.1.2
API version: 1.46 (minimum version 1.24)
Go version: go1.23.0
Git commit: f9522e5e96
Built: Sun Aug 18 14:43:14 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.7.20
GitCommit: 8fc6bcff51318944179630522a095cc9dbf9f353.m
runc:
Version: 1.1.13
GitCommit:
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
Client:
Version: 27.1.2
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: 0.16.2
Path: /usr/lib/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: 2.29.2
Path: /usr/lib/docker/cli-plugins/docker-compose
Server:
Containers: 135
Running: 1
Paused: 0
Stopped: 134
Images: 371
Server Version: 27.1.2
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: true
Native Overlay Diff: false
userxattr: false
Logging Driver: journald
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353.m
runc version:
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.6.42-1-lts
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 32
Total Memory: 62.01GiB
Name: allenwind
ID: 4YKC:JPTF:AI6R:AV34:KFP6:PR3Y:J72G:OEHE:3ZH2:OM3Y:6M52:HUFJ
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: agners
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: falseAdditional Info
No response
Description
On a system running Docker 27.1.2 alongside with KVM/libvirt with it's own separate bridge, I've observed that IPv6 stopped working in virtual machines. It turns out that all IPv6 multicast packets don't make it through the bridge.
Ultimately, disabling filtering helped:
I then was able to pinpoint Docker to be responsible. It seems that Docker adds a default
DROPrule in theFORWARDINGchain:When not starting Docker (or with
ip6tablesdisabled), the default value ofACCEPTmakes IPv6 in virtual machines just work fine.I've also noticed that the IPv4
FORWARDchain uses defaultACCEPT.Is the
DROPfor the IPv6FORWARDchain intentional/required?Reproduce
ip6tables -Land observe the default forFORWARDrule isACCEPT--ip6tables trueip6tables -Land observe new default forFORWARDrule.Expected behavior
No response
docker version
Client: Version: 27.1.2 API version: 1.46 Go version: go1.23.0 Git commit: d01f264bcc Built: Sun Aug 18 14:43:14 2024 OS/Arch: linux/amd64 Context: default Server: Engine: Version: 27.1.2 API version: 1.46 (minimum version 1.24) Go version: go1.23.0 Git commit: f9522e5e96 Built: Sun Aug 18 14:43:14 2024 OS/Arch: linux/amd64 Experimental: false containerd: Version: v1.7.20 GitCommit: 8fc6bcff51318944179630522a095cc9dbf9f353.m runc: Version: 1.1.13 GitCommit: docker-init: Version: 0.19.0 GitCommit: de40ad0docker info
Additional Info
No response