Preserve real client source IP in builtin port driver via IP_TRANSPARENT by AkihiroSuda · Pull Request #565 · rootless-containers/rootlesskit (original) (raw)

Use IP_TRANSPARENT socket option in the child process to bind outgoing connections to the real client IP:port, so backend services see the original source address instead of 127.0.0.1. This leverages CAP_NET_ADMIN in the user namespace and policy routing to complete TCP handshakes without iptables. Falls back gracefully to normal dial on older kernels or when routing setup fails.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp

This was referenced

Apr 3, 2026

This was referenced

Apr 7, 2026

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})