You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
port/builtin: fix UDP forwarding for non-loopback clients (#592)
UDP port forwarding via the builtin driver was broken for non-loopback
clients whenever --source-ip-transparent was enabled (the default). The
server received the requests but responses never reached the client.
The UDP IP_TRANSPARENT support added in v3.0 cannot work reliably: the
in-netns server replies to the real (non-local) client address, and
unlike TCP there is no per-flow accepted socket to carry the fwmark (no
udp_fwmark_accept). The reply's route and source address are therefore
selected at send time via the main table, so the reply egresses the
default route (e.g. the slirp4netns TAP) and never reaches the
transparent socket.
Fall back to the non-transparent path for UDP, which forwards correctly
for all clients (it does not preserve the client source IP). TCP source
IP preservation is unchanged.
- child: only take the IP_TRANSPARENT path for TCP; transparentDial is
TCP-only again
- msg/udp/udpproxy: drop the now-unused UDP source-address plumbing
- testsuite: TestUDPTransparent now asserts the echo reply reaches a
non-loopback client (and that the source IP is not preserved for UDP)
- docs, --help: note that source IP propagation is TCP only
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
| `builtin` | 29.9 Gbps | Propagated (since v3.0) | In the case of Rootless Docker, userland-proxy has to be disabled for propagating the source IP.
10
+
| `builtin` | 29.9 Gbps | Propagated for TCP (since v3.0) | Source IP propagation (`--source-ip-transparent`) applies to TCP only; UDP is not propagated. In the case of Rootless Docker, userland-proxy has to be disabled for propagating the source IP.
0 commit comments