In the past the only way to get a working IPv6 NAT setup for docker was the great docker-ipv6nat companion container initiated by Robbert Klarenbeek.

Since some month now there is also support for IPv6 NAT in the docker daemon that can be used like the IPv4 NAT. Currently this feature is still marked as experimental and there are still some open issue (see below).

This post should give a basic example how to use the IPv6 NAT of the docker daemon and also document a part of the development. It also list issues and fixes that in the progress to get this feature ready for productive.

Enable IPv6 NAT⌗

By default the creation of ip6tables rules is disable to keep backward compatibility. Additional it is also required to enable IPv6 and set a private IPv6 network for the fixed-cidr-v6 in the daemon or in a user-defined network. The second step is exactly the same as for the docker-ipv6nat image.

To enable IPv6 NAT on the default docker network add the following to the /etc/docker/daemon.json (adapt the fixed-cidr-v6 as needed):

{
    "experimental": true,
    "ip6tables": true,
    "fixed-cidr-v6": "fd00:dead:beef::/48",
    "ipv6": true
}

To use IPv6 NAT for user defined networks simply create a subnet with enabled IPv6:

docker network create --ipv6 --subnet fd00:dead:beef::/48 mynetwork

In this case you only have to add the following to the /etc/docker/daemon.json:

{
    "experimental": true,
    "ip6tables": true
}

Thats all. Simply start a random container and expose a port and it should be reachable via IPv6.

History⌗

There are a lot of request for IPv6 NAT in the docker daemon. One of the most popular one is moby#25407. Because this feature was not implemented for a long time the docker-ipv6nat project was created.

In 2017 wrridgwa created a Merge Request libnetwork#2023 for libnetwork that implements the creation of ip6tables rules. Sadly this Merge Request was never merged and get outdated after some time.

In July 2020 I reworked this Merge Request to get it working with the latest version of libnetwork and published the changes as libnetwork#2572. After some month and multiple requested changes the Merge Request gets merged end of october. (Vendor MR: moby#41604)

Finally the new --ip6tables config was added to the daemon in moby#41622 as an experimental option. Also cli#2846 updated the documentation for new option.

Sadly the modifications of the docker daemon caused some new issues:

• broken IPv6 routing: moby#41699

  • libnetwork#2596

• daemon crash: moby#41774

  • libnetwork#2600
  • libnetwork#2603
  • libnetwork#2604

• iptables instead of ip6tables: moby#41861

  • libnetwork#2609

• broken user land proxy: moby#41858 & libnetwork#2607

  • libnetwork#2604
  • libnetwork#2608
  • libnetwork#2616
  • rootlesskit#213 moby#42021
  • moby#42050
  • rootlesskit#232

With release 20.10.6 (2021-04-12) all of this issues should be resolved.