port/builtin: fix UDP forwarding for non-loopback clients (#592)#596
Merged
Conversation
…ontainers#592) UDP port forwarding via the builtin driver was broken for non-loopback clients whenever --source-ip-transparent was enabled (the default). The server received the requests but responses never reached the client. The UDP IP_TRANSPARENT support added in v3.0 cannot work reliably: the in-netns server replies to the real (non-local) client address, and unlike TCP there is no per-flow accepted socket to carry the fwmark (no udp_fwmark_accept). The reply's route and source address are therefore selected at send time via the main table, so the reply egresses the default route (e.g. the slirp4netns TAP) and never reaches the transparent socket. Fall back to the non-transparent path for UDP, which forwards correctly for all clients (it does not preserve the client source IP). TCP source IP preservation is unchanged. - child: only take the IP_TRANSPARENT path for TCP; transparentDial is TCP-only again - msg/udp/udpproxy: drop the now-unused UDP source-address plumbing - testsuite: TestUDPTransparent now asserts the echo reply reaches a non-loopback client (and that the source IP is not preserved for UDP) - docs, --help: note that source IP propagation is TCP only Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
UDP port forwarding via the builtin driver was broken for non-loopback clients whenever --source-ip-transparent was enabled (the default). The server received the requests but responses never reached the client.
The UDP IP_TRANSPARENT support added in v3.0 cannot work reliably: the in-netns server replies to the real (non-local) client address, and unlike TCP there is no per-flow accepted socket to carry the fwmark (no udp_fwmark_accept). The reply's route and source address are therefore selected at send time via the main table, so the reply egresses the default route (e.g. the slirp4netns TAP) and never reaches the transparent socket.
Fall back to the non-transparent path for UDP, which forwards correctly for all clients (it does not preserve the client source IP). TCP source IP preservation is unchanged.
Note: used Claude Code