rootlesskit (original) (raw)

…ontainers#592)

UDP port forwarding via the builtin driver was broken for non-loopback clients whenever --source-ip-transparent was enabled (the default). The server received the requests but responses never reached the client.

The UDP IP_TRANSPARENT support added in v3.0 cannot work reliably: the in-netns server replies to the real (non-local) client address, and unlike TCP there is no per-flow accepted socket to carry the fwmark (no udp_fwmark_accept). The reply's route and source address are therefore selected at send time via the main table, so the reply egresses the default route (e.g. the slirp4netns TAP) and never reaches the transparent socket.

Fall back to the non-transparent path for UDP, which forwards correctly for all clients (it does not preserve the client source IP). TCP source IP preservation is unchanged.

child: only take the IP_TRANSPARENT path for TCP; transparentDial is TCP-only again
msg/udp/udpproxy: drop the now-unused UDP source-address plumbing
testsuite: TestUDPTransparent now asserts the echo reply reaches a non-loopback client (and that the source IP is not preserved for UDP)
docs, --help: note that source IP propagation is TCP only

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp