Hi there,
just started using this, thanks for the great work.
I noticed, that the DOCKER-USER chain for custom ip6tables rules is missing. It would be the first in the FORWARD chain.
Normally I create the rules before starting docker or this container.However with this container the ipv6nat chains get inserted before the existing DOCKER-USER chain.
Would be nice, if the DOCKER-USER could stay first and untouched in the FORWARD chain, like Docker handles it in ipv4

Hi, thanks for reporting. I was recently made aware that Docker made some changes with their chains, see the other issues. Perhaps this is related to the other ones.

Currently, I don't have time yet to dive into this, so PRs are very welcome.

Thanks for the quick response, sadly I am really just a user. Will see if I can try to tinker, but it will take a few weeks.

Also put some comments on the main issue within libnetwork, to get native support for IPv6 NAT. My experience is, that you need it to use IPv6 properly on AWS EC2 instances. Hope that helps to motivate Docker.

Yeah, just got a notification of your comment there as well, thanks! It would really be best to have this integrated in Docker itself, instead of having to play catch-up all the time.

@robbertkl I will check this tomorrow.

Okay, it is hard to implement it wirh coreos/go-iptables. Docker's libnetwork implementation has functions like EnsureJumpRule which will break it down to such a code block which has to be called once one startup because the DOCKER-USER chain must not be deleted:

func (fw *firewall) EnsureUserFilterRule() error {
	var err

	if err := fw.ipt.NewChain(ChainDockerUser, fw.ipt.Filter, false); err != nil {
		return err
	}

	if err = fw.ipt.AddReturnRule(ChainDockerUser); err != nil {
		return err
	}

	err = fw.ipt.EnsureJumpRule(ChainForward, ChainDockerUser)
	return err
}

@robbertkl Any ideas how we can achieve this with coreos/go-iptables?

I also noticed the DOCKER-USER chain was missing in IPv6 and ended up here.

@bephinix Thank you for working on a PR to fix this issue.

However, I noticed that there is a DOCKER-ISOLATION chain in IPv6 as well, but this chain no longer exists in IPv4, and in IPv4 the following additional chains are created:
DOCKER-ISOLATION-STAGE-1
DOCKER-ISOLATION-STAGE-2
Shouldn't these 2 chains be added too and that old one be removed?

I believe this also addressed by @bephinix in #22 / #38

These PR's will be reviewed / merged soon.

Oh! Awesome, thank you.

@Robby- You are welcome! As of now, it seems that all issues have a corresponding PR. IP6Tables should look the same as IPTables does. 👍

Any progress on the review? If you create a test version, I can also run some tests.

@chris42 You maybe want to checkout my test branch which contains all open merge requests: sys/prerelease
There is also a precompiled binary for the current commit: docker-ipv6nat.amd64.v0.3.8-17-gee199a7

@bephinix So I would copy your binary into my docker and replace the old binary?

@chris42 You have to install docker-ipv6nat as described in its README. Simply replace "docker-ipv6nat" binary with the precompiled binary, although I recommend to compile it yourself if you want to debug it.

Terribly sorry guys, had to deal with some unfortunate family stuff so I was unable to go through the PRs.

Just merged all of them, resolved conflicts and will bake a new release soon. Wasn't able to extensively test everything yet, but the changes looked good so I'll test on the go and we can always revert again.