docker - Docker - ipv6（容器中的桥网关地址）如何在容器中获取客户端的 ip6 地址？

问题描述

我正在尝试在容器内获取客户端的 ipv6 地址，但我正在获取桥接本地地址。似乎 docker 为 ipv6 连接做了完整的代理。使用 ipv4 我得到了转发的公共 ip4 地址。

/etc/docker/daemon.json

{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64",
  "ip-forward": true
}

码头工人网络检查桥

[
    {
        "Name": "bridge",
        "Id": "a5597a9816f9de577ed20d9d7042eb1922f3e705ff00264afa7f40ebd811755f",
        "Created": "2021-09-13T19:13:27.730970738+02:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": true,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                },
                {
                    "Subnet": "2001:db8:1::/64"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "c985d87272f932c113c8f7bacf94874acc2ab2bf12894521e9bae957601289ef": {
                "Name": "pensive_bell",
                "EndpointID": "93987b61044efedc74a479d655976e3bee3be56cfa5cc3412f311e01fdf9399d",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": "2001:db8:1::242:ac11:2/64"
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

所以我的容器有ip6地址，可以ping ip6地址

root@c985d87272f9:/# ip -6 addr show dev eth0
138: eth0@if139: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP 
    inet6 2001:db8:1::242:ac11:2/64 scope global nodad 
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:2/64 scope link 
       valid_lft forever preferred_lft forever


root@c985d87272f9:/# ping6 -c 1 google.com
PING google.com(ams15s22-in-x0e.1e100.net (2a00:1450:400e:801::200e)) 56 data bytes
64 bytes from ams15s22-in-x0e.1e100.net (2a00:1450:400e:801::200e): icmp_seq=1 ttl=112 time=25.2 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 25.176/25.176/25.176/0.000 ms
root@c985d87272f9:/# 

通常有效，但如果我尝试请求这个：

容器中的 tcpdump

17:49:20.970495 IP6 2001:db8:1::1.51128 > 2001:db8:1::242:ac11:2.80: Flags [.], ...
17:49:20.971042 IP6 2001:db8:1::242:ac11:2.80 > 2001:db8:1::1.51126: Flags [P.], ...

我将 docker 的 ip6 地址2001:db8:1::1作为源，而不是客户端的地址：/

主机接口上的 tcpdump

19:51:55.886715 IP6 2a0c:0:0:0:33:f026:826b:1454.53698 > 2001:41d0:601:1100::254a.8000: Flags [S], ...
19:51:55.886925 IP6 2001:41d0:601:1100::254a.8000 > 2a0c:0:0:0:33:f026:826b:1454.53678: Flags [.], ...

这表明客户端的 ip 是2a0c:...并且应该在容器中。 码头工人ps

CONTAINER ID   IMAGE        COMMAND                  CREATED          STATUS          PORTS             NAMES
c985d87272f9   nginx:1.21   "/docker-entrypoint.…"   22 minutes ago   Up 22 minutes   :::8000->80/tcp   pensive_bell

如何配置 docker 在容器接口中拥有 ipv6 客户端的地址？

标签： dockeripv6