IPv6 networking

The Docker Engine networking stack assigns IPv6 addresses to containers and supports IPv6-capable user-defined networks, including dual-stack bridge networks, IPv6-only subnets where you configure them, and—where supported—overlay networks that carry traffic over IPv6 transport. IPv6 behavior is aligned with upstream Engine.

The following points are especially relevant when you plan or operate IPv6 workloads:

• IPv6 packet filtering uses ip6tables on the bridge network. This filtering is enabled by default, so IPv4 and IPv6 containers experience consistent firewall behavior on that path. Note that this function is no longer considered experimental.

• Unique Local Addresses (ULA) are present in default-address-pools``** If ``default-address-pools is not manually configured, or there are no other IPv6 prefixes in that configuration, a ULA ase prefix is automatically added. ULAs are comparable in role to private IPv4 space, except the prefix is typically unique to your environment and less prone to accidental overlap. Note, though, that you can continue to manually define IPv6 prefixes when you want full control.

• IPv6 does not depend on NAT, as IPv4 often does; a container can use a globally routable IPv6 address when the network is set up for it. For the bridge driver, you can enable direct routing to the container IPv6 address, without NAT or masquerading, by setting the bridge option com.docker.network.bridge.gateway_mode_ipv6=routed. In that mode, published ports are reflected in the container firewall rules as appropriate; design your host and network firewalls accordingly.

Default ip6tables on the bridge avoids surprises where IPv4 paths were filtered but IPv6 was not, or vice versa. Automatic ULA assignment lets you use IPv6-capable networks without hand-crafting every prefix when the defaults match your needs. Direct IPv6 routing simplifies addressing and can reduce NAT-related complexity, but NAT no longer acts as an implicit isolation mechanism for those paths. Instead, you must rely on explicit routing, host firewall, and networkpolicy, and plan security and segmentation deliberately.

In general, to enable IPv6 networking:

• Configure the daemon for IPv6 where required, including default-address-pools and bridge defaults if you are not using automatic ULA behavior.

• Use docker network create with IPv6-related options and explicit subnets when you need fixed, documented prefixes in the production environment.

• For routed IPv6 on a bridge network, set --opt com.docker.network.bridge.gateway_mode_ipv6=routed and supply a suitable subnet and gateway for your environment. Ensure IPv6 forwarding and upstream routing match your design.

• For Swarm, treat overlay and ingress behavior as described in upstream Swarm networking documentation when you rely on IPv6 or dual-stack.

Note

Exact flags, daemon.json file fields, and driver-specific options are maintained in upstream documentation, and you should use those references for complete syntax and defaults.

See also

For more detail on networks, inspection output, and the Engine API, refer to the following official Docker documentation topics:

• Networking overview

• Bridge network driver

• Overlay network driver

• docker network create

• dockerd: daemon configuration