这是indexloc提供的服务,不要输入任何密码
Skip to content

Port forwarding: IP visible in container is not in RFC 1918 private range #7793

New issue
New issue
Open
Open
Port forwarding: IP visible in container is not in RFC 1918 private range#7793
Labels
area/networkstatus/triageversion/4.49.0version/4.51.0
@felixscheinost

Description

@felixscheinost
felixscheinost
opened on Oct 24, 2025

Description

When running a container with port forwardings, docker run --rm -p 8080:80 nginx, and access the exposed port from the Mac host, I expect the client IP visible to the container to be in the private IP ranges outlined by RFC 1918.

But since one of the last updates, this is randomly not the case.

fesc@mcfesc ~> docker run --rm -p 8080:80 nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2025/10/24 13:01:24 [notice] 1#1: using the "epoll" event method
2025/10/24 13:01:24 [notice] 1#1: nginx/1.29.2
2025/10/24 13:01:24 [notice] 1#1: built by gcc 14.2.0 (Debian 14.2.0-19)
2025/10/24 13:01:24 [notice] 1#1: OS: Linux 6.10.14-linuxkit
2025/10/24 13:01:24 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2025/10/24 13:01:24 [notice] 1#1: start worker processes
2025/10/24 13:01:24 [notice] 1#1: start worker process 29
2025/10/24 13:01:24 [notice] 1#1: start worker process 30
2025/10/24 13:01:24 [notice] 1#1: start worker process 31
2025/10/24 13:01:24 [notice] 1#1: start worker process 32
2025/10/24 13:01:24 [notice] 1#1: start worker process 33
2025/10/24 13:01:24 [notice] 1#1: start worker process 34
2025/10/24 13:01:24 [notice] 1#1: start worker process 35
2025/10/24 13:01:24 [notice] 1#1: start worker process 36
2025/10/24 13:01:24 [notice] 1#1: start worker process 37
2025/10/24 13:01:24 [notice] 1#1: start worker process 38
2025/10/24 13:01:24 [notice] 1#1: start worker process 39
2025/10/24 13:01:24 [notice] 1#1: start worker process 40
2025/10/24 13:01:24 [notice] 1#1: start worker process 41
2025/10/24 13:01:24 [notice] 1#1: start worker process 42
2025/10/24 13:01:24 [notice] 1#1: start worker process 43
2025/10/24 13:01:24 [notice] 1#1: start worker process 44
172.65.32.248 - - [24/Oct/2025:13:01:27 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/8.7.1" "-"

I accessed the container using curl http://localhost:8080.

The client IP visible to the container is 172.65.32.248, which is a public IP and currently belongs to Cloudflare.

Reproduce

  1. docker run --rm -p 8080:80 nginx
  2. curl http://localhost:8080

This seems to be random a little bit.

Restarting Docker and rerunning the container, I sometimes get a valid IP, but stopping and restarting the container a few times and I quickly get a public IP again.

My colleague could reproduce the issue, but got a different IP address, even something like 142.[...] one time.

I even did a factory reset, then I got a correct IP for a few times, but after starting a bunch of other containers, it got wrong again.

Expected behavior

The IP in the container should be in a private IP range.

docker version

Client:
 Version:           28.5.1
 API version:       1.51
 Go version:        go1.24.8
 Git commit:        e180ab8
 Built:             Wed Oct  8 12:16:17 2025
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.49.0 (208700)
 Engine:
  Version:          28.5.1
  API version:      1.51 (minimum version 1.24)
  Go version:       go1.24.8
  Git commit:       f8215cc
  Built:            Wed Oct  8 12:18:25 2025
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.27
  GitCommit:        05044ec0a9a75232cad458027ca83437aae3f4da
 runc:
  Version:          1.2.5
  GitCommit:        v1.2.5-0-g59923ef
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    28.5.1
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  ai: Docker AI Agent - Ask Gordon (Docker Inc.)
    Version:  v1.9.11
    Path:     /Users/fesc/.docker/cli-plugins/docker-ai
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.29.1-desktop.1
    Path:     /Users/fesc/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.40.2-desktop.1
    Path:     /Users/fesc/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.45
    Path:     /Users/fesc/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Docker Inc.)
    Version:  v0.2.0
    Path:     /Users/fesc/.docker/cli-plugins/docker-desktop
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.31
    Path:     /Users/fesc/.docker/cli-plugins/docker-extension
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.4.0
    Path:     /Users/fesc/.docker/cli-plugins/docker-init
  mcp: Docker MCP Plugin (Docker Inc.)
    Version:  v0.24.0
    Path:     /Users/fesc/.docker/cli-plugins/docker-mcp
  model: Docker Model Runner (Docker Inc.)
    Version:  v0.1.45
    Path:     /Users/fesc/.docker/cli-plugins/docker-model
  offload: Docker Offload (Docker Inc.)
    Version:  v0.5.1
    Path:     /Users/fesc/.docker/cli-plugins/docker-offload
  sandbox: Docker Sandbox (Docker Inc.)
    Version:  v0.3.1
    Path:     /Users/fesc/.docker/cli-plugins/docker-sandbox
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/fesc/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.18.3
    Path:     /Users/fesc/.docker/cli-plugins/docker-scout

Server:
 Containers: 51
  Running: 27
  Paused: 0
  Stopped: 24
 Images: 85
 Server Version: 28.5.1
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Discovered Devices:
  cdi: docker.com/gpu=webgpu
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
 runc version: v1.2.5-0-g59923ef
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.10.14-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 16
 Total Memory: 31.78GiB
 Name: docker-desktop
 ID: 4cef285e-a5d6-4e4d-9e83-24a68012fe3e
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/fesc/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

Diagnostics ID

7D8FD2C7-C826-4B14-9501-743DABAE0BD7/20251024131226

Additional Info

macOS 15.7.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/networkstatus/triageversion/4.49.0version/4.51.0

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions