Containerlab fails to manage nft ipv6 forwarding policy

[jbemmel]

At Netlab we were seeing an inexplicable failure of IPv6 use cases: ipspace/netlab#1669

In short: It works with Libvirt, but fails with Containerlab; IPv6 router advertisements are not being received by the host containers when connected via a Linux bridge

The difference between both scenarios, is that in the Containerlab case the router gets attached to the Linux bridge using a veth pair. IPv6 packets are being dropped on this pair

Turns out on my Ubuntu machine, the default ip6 FORWARD policy is "drop"

jeroen@j:~/Projects/netlab/tests$ sudo nft list table ip6 filter
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {

  ...

	chain FORWARD {
		type filter hook forward priority filter; policy drop;  <!-- !!
	}

Libvirt adds rules to bypass this default, but Containerlab does not. IMHO it should

See

containerlab/runtime/docker/firewall/nftables/client.go

Line 110 in 38ea59a

rule, err := c.newClabNftablesRule(definitions.DockerFWUserChain, definitions.DockerFWTable, nftables.TableFamilyIPv4, 0)

it only handles ipv4 for the management bridge

Context:

lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 24.04.1 LTS
Release:	24.04
Codename:	noble

uname -r
6.8.0-51-generic

[jbemmel]

This issue depends on security settings, I do not know how widely spread it is. I would suggest to start with modifying the smoke tests to detect this condition to start with.

It turns out in my case I installed Docker through snap, it loads the br_filter module which blocks IPv6 packet forwarding by default unless disabled.

A documentation update cautioning users to check their Docker installation could also be a solution