Skip to content

add IPv6 support for docker network #1111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 22, 2025
Merged

add IPv6 support for docker network #1111

merged 1 commit into from
Jul 22, 2025

Conversation

Xentrice
Copy link
Contributor

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

Adding IPv6 support to the docker network to ensure no NATing takes place and the IP addresses are logged correctly. This ensures correct behavior of middlewares, for example Crowdsec or GeoBlock.
Successfully tested on Debian based systems with different IP configurations (IPv4 only/IPv6 only/both). Also successfully tested on an existing install (IPv4/6 dual, Debian 12).
I did however only test on Hetzner VPS. There might be some differences in the server setup across providers, but i doubt they would impact this change.

Some follow up thoughts regarding #110:
Upon further thinking I came to the conclusion that step 1 might be disruptive - blocking IPv6 completely might break some installs if users are using an IPv6 only server (unlikely, as GitHub doesn't have IPv6 support yet, but not completely ruled out).

I also put some thoughts again into enabling IPv6 by default on all new installations, and can't think of any reason not to. My initial hesitation was due to increased complexity, especially with dockers tendency to punch through existing firewall policies. After giving this some thought, i came to the conclusion that some basic tech knowledge can be expected from the user, and I think it is a reasonable expectation that someone provisioning an IPv6 capable server is aware of the implications. So, as of now, I don't see any downside to enable IPv6 on all new installations.

In the end, this was basically just adding one line and running a lot of tests. So @oschwartz10612... #110 (comment) you were completely correct :)

Changing this to ask the user during installation would be trivial now that the tests are done, just let me know if you prefer this. TBH tho, after my tests, I don't see a reason anymore.

I am unsure about how to handle existing installations, if at all. A note in the release notes might be sufficient.

How to test?

Provision a fresh install or change the docker-compose.yml on an existing install
Ensure connection works from both IPv4 and IPv6 clients
Ensure the IP forwarding works as expected, for example by checking the traefik access.log. IPv6 addresses should now show correctly.

@oschwartz10612
Copy link
Member

Tested with V6 and did not see any issues. Thinking this is probably fine?

I am leaning toward maybe making it an option during install in case it does break anything for people's installs. That way they had the option to remove it if they wanted to but it can default to yes as I agree there does not appear to be too much downside. Do you agree? Would you be able to make it conditional in the installer?

If not I can.

@Xentrice
Copy link
Contributor Author

Xentrice commented Jul 22, 2025
edited
Loading

Hm, the thing is, if you disable this during a default install and your server is generally IPv6 capable, you don't disable IPv6, you just enable NATing, meaning every IPv6 connection gets translated to the docker container internal IPv4. This is the reason for the initial issue.
I'm not sure if it's reasonable to explain this during the installation prompts without making them too bloated.

If the prompt should actually disable IPv6, some additional changes are needed - imho it would be sufficient to publish the gerbil docker ports to IPv4 only.

I do admit I lean towards it just being the default, after all IPv6 is inevitable and during all my tests i didn't see a single issue. Maybe a two step progress is still the way though, enabling it with opt-out, just in case there are some niche cases i didn't think of or i missed something, and somewhere down the line making it default.

I can make all the changes needed including the conditionals, just tell me which way to go.

@oschwartz10612
Copy link
Member

Good reasoning I think I agree! Will merge!

Thanks for doing all of this testing and giving this some thought. Appreciate it!

@oschwartz10612 oschwartz10612 merged commit 3f2de33 into fosrl:main Jul 22, 2025
1 check passed
@elcajon
Copy link

elcajon commented Jul 22, 2025

I became aware of this based on my issue #1084. FYI - Having manually adjusted my configuration, I can confirm that it works well for me in a productive environment. Thanks a lot for the contribution- it's really appreciated! 😊

image

This was referenced Aug 1, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Xentrice @oschwartz10612 @elcajon