Merge pull request moby#48570 from akerouanton/proxy-LL-connections

libnet/d/bridge: port mapping: proxy LL connections
robmry · Oct 8, 2024 · 60a624c · 60a624c
2 parents 16154dc + 7ca9e9b
commit 60a624c
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/integration/networking/port_mapping_linux_test.go b/integration/networking/port_mapping_linux_test.go
@@ -323,14 +323,21 @@ func TestAccessPublishedPortFromHost(t *testing.T) {
 						// loopback address.
 						continue
 					}
+
+					addr := hostAddr.String()
 					if hostAddr.IsLinkLocalUnicast() {
-						// Mapping ports on link-local addresses is currently
-						// unsupported.
-						continue
+						if !tc.ulpEnabled {
+							// iptables can DNAT packets addressed to link-local
+							// addresses, but they won't be SNATed, so the
+							// target server won't know where to reply. Thus,
+							// the userland-proxy is required for these addresses.
+							continue
+						}
+						addr += "%25" + iface
 					}
 
 					httpClient := &http.Client{Timeout: 3 * time.Second}
-					resp, err := httpClient.Get("http://" + net.JoinHostPort(hostAddr.String(), hostPort))
+					resp, err := httpClient.Get("http://" + net.JoinHostPort(addr, hostPort))
 					assert.NilError(t, err)
 					assert.Check(t, is.Equal(resp.StatusCode, 404))
 				}

diff --git a/libnetwork/drivers/bridge/port_mapping_linux.go b/libnetwork/drivers/bridge/port_mapping_linux.go
@@ -772,6 +772,9 @@ func setPerPortNAT(b portBinding, ipv iptables.IPVersion, proxyPath string, brid
 	if !hairpinMode {
 		args = append(args, "!", "-i", bridgeName)
 	}
+	if ipv == iptables.IPv6 {
+		args = append(args, "!", "-s", "fe80::/10")
+	}
 	rule := iptRule{ipv: ipv, table: iptables.Nat, chain: DockerChain, args: args}
 	if err := appendOrDelChainRule(rule, "DNAT", enable); err != nil {
 		return err

diff --git a/libnetwork/drivers/bridge/port_mapping_linux_test.go b/libnetwork/drivers/bridge/port_mapping_linux_test.go
@@ -921,9 +921,12 @@ func TestAddPortMappings(t *testing.T) {
 
 				// Check the DNAT rule.
 				dnatRule := ""
+				if ipv == iptables.IPv6 && !tc.gwMode6.natDisabled() {
+					dnatRule += "! -s fe80::/10 "
+				}
 				if tc.proxyPath != "" {
 					// No docker-proxy, so expect "hairpinMode".
-					dnatRule = "! -i dummybridge "
+					dnatRule += "! -i dummybridge "
 				}
 				dnatRule += fmt.Sprintf("-d %s -p %s -m %s --dport %d -j DNAT --to-destination %s:%d",
 					addrH, expPB.Proto, expPB.Proto, expPB.HostPort, addrD, expPB.Port)