New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proof of concept: support IPv6 addresses in -p #20315
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -128,16 +128,20 @@ func (pm *PortMapper) MapRange(container net.Addr, hostIP net.IP, hostPortStart, | |
} | ||
|
||
containerIP, containerPort := getIPAndPort(m.container) | ||
if err := pm.forward(iptables.Append, m.proto, hostIP, allocatedHostPort, containerIP.String(), containerPort); err != nil { | ||
return nil, err | ||
if hostIP.To4() != nil { | ||
if err := pm.forward(iptables.Append, m.proto, hostIP, allocatedHostPort, containerIP.String(), containerPort); err != nil { | ||
return nil, err | ||
} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. When you submit to libnetwork, remember to also add the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In libnetwork your change to skip the iptables programming for v6 host IP, needed because we have no ip6tables package, may be ok, but would this work when daemon is started with There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Done.
I’m not quite sure I get what you mean. When starting docker with
I was under the impression that IPv6 requires the userland proxy. In any case, my patch doesn’t change the outcome of this test. If the test was not what you had in mind, might I ask you to check out this pull request and run the test yourself please? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Using docker with IPv6 is completely different. One has to start docker daemon it with --fixed-cidr-v6= and access each container via it's own ipv6. There's enough addresses to do so :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Yes that's the point I wanted to make. It will only work if the daemon was started with
That is not strictly true. If you have a routable IPv6 for your container, you can always route up to the container (Sure you may need to set some routes: IPv6 with Docker ). Also a general question, why do you need the port translation for IPv6 ?
Not strictly true either. You can now create your bridge network witth
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
The idea is to have the ability to bind to ipv6 interface only. It's possible with ipv4 but not with ipv6. |
||
} | ||
|
||
cleanup := func() error { | ||
// need to undo the iptables rules before we return | ||
m.userlandProxy.Stop() | ||
pm.forward(iptables.Delete, m.proto, hostIP, allocatedHostPort, containerIP.String(), containerPort) | ||
if err := pm.Allocator.ReleasePort(hostIP, m.proto, allocatedHostPort); err != nil { | ||
return err | ||
if hostIP.To4() != nil { | ||
pm.forward(iptables.Delete, m.proto, hostIP, allocatedHostPort, containerIP.String(), containerPort) | ||
if err := pm.Allocator.ReleasePort(hostIP, m.proto, allocatedHostPort); err != nil { | ||
return err | ||
} | ||
} | ||
|
||
return nil | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am trying to see if we do really need the square brackets.
The
-p value
can be:In all the cases, I think, we need to
a) If no
:
are present in value, then ContainerPort=value, exitb) else split value by
:
into N elements, ContainerPort=, HostPort=<(N-1)th element>if len(elements) == 3, then parse the IPv4 host address from the first element, exit
else if len(elements) > 3 join the first N-2 elements in one string and parse the IPv6 from it, exit
else exit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I saw this PR #20842
So wondering if we can make use of the standard net functions here, e.g.
net. SplitHostPort()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even if we don’t need them, I think it makes sense to use them. Using square brackets for separating IPv6 addresses from ports is what all other programs do, so there’s a strong argument for consistency.
I don’t see what using
net.SplitHostPort()
would buy us in this case. I don’t think it makes the code any shorter or handles any more cases than what we handle currently. If you disagree, can you provide a code snippet to illustrate what you mean please?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sticking to ipv6 literal notation is very good idea. It's too easy to get lost in plethora of colons without square brackets (not to mention that the number of colons in ipv6 can vary).
https://www.ietf.org/rfc/rfc2732.txt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. It's mainly for readability. Thanks for the pointer to the ipv6 literal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't delve into it deeply; but thought to mention it, in case that code was better tested and/or handled corner case that we didn't think of.