docker · dvdksn · Jun 25, 2024 · Jun 14, 2024 · May 13, 2024 · Jun 12, 2024
diff --git a/.github/vale/config/vocabularies/Docker/accept.txt b/.github/vale/config/vocabularies/Docker/accept.txt
@@ -77,6 +77,7 @@ Mac
 Mail(chimp|gun)
 Microsoft
 MySQL
+NAT
 Nginx
 Nuxeo
 OAuth

diff --git a/content/config/daemon/ipv6.md b/content/config/daemon/ipv6.md
@@ -6,61 +6,32 @@ aliases:
 - /engine/userguide/networking/default_network/ipv6/
 ---
 
-Before you can use IPv6 in Docker containers, you need to
-enable IPv6 support in the Docker daemon. Afterward, you can choose to use
-either IPv4 or IPv6 (or both) with any container or network.
-
 IPv6 is only supported on Docker daemons running on Linux hosts.
 
-> **Note**
->
-> When using IPv6, we recommend that you enable the
-> [experimental](../../release-lifecycle.md#experimental)
-> `ip6tables` parameter in the daemon configuration.
-
 ## Create an IPv6 network
 
-The following steps show you how to create a Docker network that uses IPv6.
-
-1. Edit the Docker daemon configuration file,
-   located at `/etc/docker/daemon.json`. Configure the following parameters:
-
-   ```json
-   {
-     "experimental": true,
-     "ip6tables": true
-   }
-   ```
-
-   `ip6tables` enables additional IPv6 packet filter rules, providing network
-   isolation and port mapping. This parameter requires `experimental` to be
-   set to `true`.
-
-2. Save the configuration file.
-3. Restart the Docker daemon for your changes to take effect.
-
-   ```console
-   $ sudo systemctl restart docker
-   ```
+- Using `docker network create`:
 
-4. Create a new IPv6 network.
+  ```console
+  $ docker network create --ipv6 ip6net
+  ```
 
-   - Using `docker network create`:
+- Using `docker network create`, specifying an IPv6 subnet:
 
-     ```console
-     $ docker network create --ipv6 --subnet 2001:0DB8::/112 ip6net
-     ```
+  ```console
+  $ docker network create --ipv6 --subnet 2001:db8::/64 ip6net
+  ```
 
-   - Using a Docker Compose file:
+- Using a Docker Compose file:
 
-     ```yaml
-      networks:
-        ip6net:
-          enable_ipv6: true
-          ipam:
-            config:
-              - subnet: 2001:0DB8::/112
-     ```
+  ```yaml
+   networks:
+     ip6net:
+       enable_ipv6: true
+       ipam:
+         config:
+           - subnet: 2001:db8::/64
+  ```
 
 You can now run containers that attach to the `ip6net` network.
 
@@ -78,8 +49,9 @@ Hostname: ea1cfde18196
 IP: 127.0.0.1
 IP: ::1
 IP: 172.17.0.2
+IP: 2001:db8::2
 IP: fe80::42:acff:fe11:2
-RemoteAddr: [fe80::42:acff:fe11:2]:54890
+RemoteAddr: [2001:db8::1]:37574
 GET / HTTP/1.1
 Host: [::1]
 User-Agent: curl/8.1.2
@@ -96,18 +68,15 @@ The following steps show you how to use IPv6 on the default bridge network.
    ```json
    {
      "ipv6": true,
-     "fixed-cidr-v6": "2001:db8:1::/64",
-     "experimental": true,
-     "ip6tables": true
+     "fixed-cidr-v6": "2001:db8:1::/64"
    }
    ```
 
    - `ipv6` enables IPv6 networking on the default network.
    - `fixed-cidr-v6` assigns a subnet to the default bridge network,
      enabling dynamic IPv6 address allocation.
    - `ip6tables` enables additional IPv6 packet filter rules, providing network
-     isolation and port mapping. This parameter requires `experimental` to be
-     set to `true`.
+     isolation and port mapping. It is enabled by-default, but can be disabled.
 
 2. Save the configuration file.
 3. Restart the Docker daemon for your changes to take effect.
@@ -132,8 +101,9 @@ Hostname: ea1cfde18196
 IP: 127.0.0.1
 IP: ::1
 IP: 172.17.0.2
-IP: fe80::42:acff:fe11:2
-RemoteAddr: [fe80::42:acff:fe11:2]:54890
+IP: 2001:db8:1::242:ac12:2
+IP: fe80::42:acff:fe12:2
+RemoteAddr: [2001:db8:1::1]:35558
 GET / HTTP/1.1
 Host: [::1]
 User-Agent: curl/8.1.2
@@ -145,11 +115,16 @@ Accept: */*
 If you don't explicitly configure subnets for user-defined networks,
 using `docker network create --subnet=<your-subnet>`,
 those networks use the default address pools of the daemon as a fallback.
-The default address pools are all IPv4 pools.
 This also applies to networks created from a Docker Compose file,
 with `enable_ipv6` set to `true`.
 
-To enable dynamic subnet allocation for user-defined IPv6 networks,
+If no IPv6 pools are included in Docker Engine's `default-address-pools`,
+and no `--subnet` option is given, [Unique Local Addresses (ULAs)][wikipedia-ipv6-ula]
+will be used when IPv6 is enabled. These `/64` subnets include a 40-bit
+Global ID based on the Docker Engine's randomly generated ID, to give a
+high probability of uniqueness.
+
+To use different pools of IPv6 subnets for dynamic address allocation,
 you must manually configure address pools of the daemon to include:
 
 - The default IPv4 address pools
@@ -173,20 +148,7 @@ The default address pool configuration is:
 
 The following example shows a valid configuration with the default values and
 an IPv6 pool. The IPv6 pool in the example provides up to 256 IPv6 subnets of
-size `/112`, from an IPv6 pool of prefix length `/104`. Each `/112`-sized
-subnet supports 65 536 IPv6 addresses.
-
-> **Note**
->
-> Be aware that the following known limitations exist for IPv6 pools:
->
-> - The `base` value for IPv6 needs a minimum prefix length of `/64`.
->   This is due to an integer overflow in the Docker daemon.
->   See [moby/moby#42801](https://github.com/moby/moby/issues/42801).
-> - The difference between the pool length and the pool size can't be larger
->   than 24. Defining an excessive number of subnets causes the daemon to
->   consume all available memory.
->   See [moby/moby#40275](https://github.com/moby/moby/issues/40275).
+size `/64`, from an IPv6 pool of prefix length `/56`.
 
 ```json
 {
@@ -198,22 +160,35 @@ subnet supports 65 536 IPv6 addresses.
     { "base": "172.24.0.0/14", "size": 16 },
     { "base": "172.28.0.0/14", "size": 16 },
     { "base": "192.168.0.0/16", "size": 20 },
-    { "base": "2001:db8::/104", "size": 112 }
+    { "base": "2001:db8::/56", "size": 64 }
   ]
 }
 ```
 
 > **Note**
 >
-> The address `2001:db8` in this example is
+> The address `2001:db8::` in this example is
 > [reserved for use in documentation][wikipedia-ipv6-reserved].
 > Replace it with a valid IPv6 network.
+>
 > The default IPv4 pools are from the private address range,
-> the IPv6 equivalent would be [ULA networks][wikipedia-ipv6-ula].
+> similar to the default IPv6 [ULA][wikipedia-ipv6-ula] networks.
 
 [wikipedia-ipv6-reserved]: https://en.wikipedia.org/wiki/Reserved_IP_addresses#IPv6
 [wikipedia-ipv6-ula]: https://en.wikipedia.org/wiki/Unique_local_address
 
+## Docker in Docker
+
+On a host using `xtables` (legacy `iptables`) instead of `nftables`, kernel
+module `ip6_tables` must be loaded before an IPv6 Docker network can be created,
+It is normally loaded automatically when Docker starts.
+
+However, if you running Docker in Docker that is not based on a recent
+version of the [official `docker` image](https://hub.docker.com/_/docker), you
+may need to run `modprobe ip6_tables` on your host. Alternatively, use daemon
+option `--ip6tables=false` to disable `ip6tables` for the containerized Docker
+Engine.
+
 ## Next steps
 
 - [Networking overview](../../network/index.md)
diff --git a/content/network/_index.md b/content/network/_index.md
@@ -91,9 +91,9 @@ $ docker run --rm -it --network container:redis example/redis-cli -h 127.0.0.1
 ## Published ports
 
 By default, when you create or run a container using `docker create` or `docker run`,
-the container doesn't expose any of its ports to the outside world.
+containers on bridge networks don't expose any ports to the outside world.
 Use the `--publish` or `-p` flag to make a port available to services
-outside of Docker.
+outside the bridge network.
 This creates a firewall rule in the host,
 mapping a container port to a port on the Docker host to the outside world.
 Here are some examples:
@@ -111,11 +111,12 @@ Here are some examples:
 > a container's ports it becomes available not only to the Docker host, but to
 > the outside world as well.
 >
-> If you include the localhost IP address (`127.0.0.1`) with the publish flag,
-> only the Docker host can access the published container port.
+> If you include the localhost IP address (`127.0.0.1`, or `::1`) with the
+> publish flag, only the Docker host and its containers can access the
+> published container port.
 >
 > ```console
-> $ docker run -p 127.0.0.1:8080:80 nginx
+> $ docker run -p 127.0.0.1:8080:80 -p '[::1]:8080:80' nginx
 > ```
 >
 > > **Warning**
@@ -132,6 +133,14 @@ it isn't necessary to publish the container's ports.
 You can enable inter-container communication by connecting the containers to the
 same network, usually a [bridge network](./drivers/bridge.md).
 
+Ports on the host's IPv6 addresses will map to the container's IPv4 address
+if no host IP is given in a port mapping, the bridge network is IPv4-only,
+and `--userland-proxy=true` (default).
+
+For more information about port mapping, including how to disable it and use
+direct routing to containers, see
+[packet filtering and firewalls](./packet-filtering-firewalls.md).
+
 ## IP address and hostname
 
 By default, the container gets an IP address for every Docker network it attaches to.

diff --git a/content/network/drivers/bridge.md b/content/network/drivers/bridge.md
@@ -104,15 +104,16 @@ flag.
 The following table describes the driver-specific options that you can pass to
 `--option` when creating a custom network using the `bridge` driver.
 
-| Option                                           | Default        | Description                                                                                   |
-| ------------------------------------------------ | -------------- | --------------------------------------------------------------------------------------------- |
-| `com.docker.network.bridge.name`                 |                | Interface name to use when creating the Linux bridge.                                         |
-| `com.docker.network.bridge.enable_ip_masquerade` | `true`         | Enable IP masquerading.                                                                       |
-| `com.docker.network.bridge.enable_icc`           | `true`         | Enable or Disable inter-container connectivity.                                               |
-| `com.docker.network.bridge.host_binding_ipv4`    |                | Default IP when binding container ports.                                                      |
-| `com.docker.network.driver.mtu`                  | `0` (no limit) | Set the containers network Maximum Transmission Unit (MTU).                                   |
-| `com.docker.network.container_iface_prefix`      | `eth`          | Set a custom prefix for container interfaces.                                                 |
-| `com.docker.network.bridge.inhibit_ipv4`         | `false`        | Prevent Docker from [assigning an IP address](#skip-ip-address-configuration) to the network. |
+| Option                                                                                          | Default                     | Description                                                                                    |
+|-------------------------------------------------------------------------------------------------|-----------------------------|------------------------------------------------------------------------------------------------|
+| `com.docker.network.bridge.name`                                                                |                             | Interface name to use when creating the Linux bridge.                                          |
+| `com.docker.network.bridge.enable_ip_masquerade`                                                | `true`                      | Enable IP masquerading.                                                                        |
+| `com.docker.network.bridge.gateway_mode_ipv4`<br/>`com.docker.network.bridge.gateway_mode_ipv6` | `nat`                       | Enable NAT and masquerading (`nat`), or only allow direct routing to the container (`routed`). |
+| `com.docker.network.bridge.enable_icc`                                                          | `true`                      | Enable or Disable inter-container connectivity.                                                |
+| `com.docker.network.bridge.host_binding_ipv4`                                                   | all IPv4 and IPv6 addresses | Default IP when binding container ports.                                                       |
+| `com.docker.network.driver.mtu`                                                                 | `0` (no limit)              | Set the containers network Maximum Transmission Unit (MTU).                                    |
+| `com.docker.network.container_iface_prefix`                                                     | `eth`                       | Set a custom prefix for container interfaces.                                                  |
+| `com.docker.network.bridge.inhibit_ipv4`                                                        | `false`                     | Prevent Docker from [assigning an IP address](#skip-ip-address-configuration) to the network.  |
 
 Some of these options are also available as flags to the `dockerd` CLI, and you
 can use them to configure the default `docker0` bridge when starting the Docker
@@ -133,6 +134,27 @@ your own `docker0` bridge. Use this option if you want to run multiple daemon
 instances on the same host. For details, see
 [Run multiple daemons](../../reference/cli/dockerd.md#run-multiple-daemons).
 
+### Default host binding address
+
+When no host address is given in port publishing options like `-p 80`
+or `-p 8080:80`, the default is to make the container's port 80 available on all
+host addresses, IPv4 and IPv6.
+
+The bridge network driver option `com.docker.network.bridge.host_binding_ipv4`
+can be used to modify the default address for published ports.
+
+Despite the option's name, it is possible to specify an IPv6 address.
+
+When the default binding address is an address assigned to a specific interface,
+the container's port will only be accessible via that address.
+
+Setting the default binding address to `::` means published ports will only be
+available on the host's IPv6 addresses. However, setting it to `0.0.0.0` means it
+will be available on the host's IPv4 and IPv6 addresses.
+
+To restrict a published port to IPv4 only, the address must be included in the
+container's publishing options. For example, `-p 0.0.0.0:8080:80`.
+
 ## Manage a user-defined bridge
 
 Use the `docker network create` command to create a user-defined bridge
@@ -198,15 +220,13 @@ the `my-nginx` container from the `my-net` network.
 $ docker network disconnect my-net my-nginx
 ```
 
-## Use IPv6
+## Use IPv6 in a user-defined bridge network
 
-If you need IPv6 support for Docker containers, you need to
-[enable the option](../../config/daemon/ipv6.md) on the Docker daemon and reload its
-configuration, before creating any IPv6 networks or assigning containers IPv6
-addresses.
+When you create your network, you can specify the `--ipv6` flag to enable IPv6.
 
-When you create your network, you can specify the `--ipv6` flag to enable
-IPv6. You can't selectively disable IPv6 support on the default `bridge` network.
+```console
+$ docker network create --ipv6 --subnet 2001:db8:1234::/64 my-net
+```
 
 ## Use the default bridge network
 
@@ -232,10 +252,8 @@ the settings you need to customize.
 {
   "bip": "192.168.1.1/24",
   "fixed-cidr": "192.168.1.0/25",
-  "fixed-cidr-v6": "2001:db8::/64",
   "mtu": 1500,
   "default-gateway": "192.168.1.254",
-  "default-gateway-v6": "2001:db8:abcd::89",
   "dns": ["10.20.1.2","10.20.1.3"]
 }
 ```
@@ -244,9 +262,28 @@ Restart Docker for the changes to take effect.
 
 ### Use IPv6 with the default bridge network
 
-If you configure Docker for IPv6 support (see [Use IPv6](#use-ipv6)), the
-default bridge network is also configured for IPv6 automatically. Unlike
-user-defined bridges, you can't selectively disable IPv6 on the default bridge.
+IPv6 can be enabled for the default bridge using the following options in
+`daemon.json`, or their command line equivalents.
+
+These three options only affect the default bridge, they are not used by
+user-defined networks. The addresses in below are examples from the
+IPv6 documentation range.
+
+- Option `ipv6` is required
+- Option `fixed-cidr-v6` is required, it specifies the network prefix to be used.
+  - The prefix should normally be `/64` or shorter.
+  - For experimentation on a local network, it is better to use a Unique Local
+    prefix (matching `fd00::/8`) than a Link Local prefix (matching `fe80::/10`).
+- Option `default-gateway-v6` is optional. If unspecified, the default is the first
+  address in the `fixed-cidr-v6` subnet.
+
+```json
+{
+  "ipv6": true,
+  "fixed-cidr-v6": "2001:db8::/64",
+  "default-gateway-v6": "2001:db8:abcd::89"
+}
+```
 
 ## Connection limit for bridge networks
-Original file line number
+Diff line change
@@ Expand Up / @@ -77,6 +77,7 @@ Mac @@
     Mail(chimp|gun)
     Microsoft
     MySQL
+    NAT
     Nginx
     Nuxeo
     OAuth
@@ Expand Down @@