docs: Rewrite of IPv6 page (#3244)

Much better docs for IPv6 support. Third-party container no longer required, Docker has `ip6tables` feature now. --------- Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2025-07-24 20:54:43 +02:00 · 2023-07-03 01:33:14 +02:00 · 2023-07-03 01:33:14 +02:00 · 9f5d662da7
commit 9f5d662da7
parent a2247bf655
2 changed files with 143 additions and 36 deletions
--- a/docs/content/config/debugging.md
+++ b/docs/content/config/debugging.md
@ -50,28 +50,30 @@ For example a text editor you can use in the terminal: `apt-get install nano`

 It's possible that the issue you're experiencing is due to a compatibility conflict.

-This could be from outdated software updates, or running a system that isn't able to provide you newer software and kernels. You may want to verify if you can reproduce the issue on a system that is not affected by these concerns.
+This could be from outdated software, or running a system that isn't able to provide you newer software and kernels. You may want to verify if you can reproduce the issue on a system that is not affected by these concerns.

 ### Network

+- Misconfigured network connections can cause the client IP address to be proxied through a docker network gateway IP, or a [service that acts on behalf of connecting clients for logins][gh-discuss-roundcube-fail2ban] where the connections client IP appears to be only from that service (eg: Container IP) instead. This can relay the wrong information to other services (eg: monitoring like Fail2Ban, SPF verification) causing unexpected failures.
 - **`userland-proxy`:** Prior to Docker `v23`, [changing the `userland-proxy` setting did not reliably remove NAT rules][network::docker-userlandproxy].
- **UFW / firewalld:** Some users expect only their firewall frontend to manage the firewall rules, but these will be bypassed when Docker publishes a container port as there is no integration between the two.
+- **UFW / firewalld:** Some users expect only their firewall frontend to manage the firewall rules, but these will be bypassed when Docker publishes a container port (_as there is no integration between the two_).
 - **`iptables` / `nftables`:**
    - Docker [only manages the NAT rules via `iptables`][network::docker-nftables], relying on compatibility shims for supporting the successor `nftables`. Internally DMS expects `nftables` support on the host kernel for services like Fail2Ban to function correctly.
    - [Kernels older than 5.2 may affect management of NAT rules via `nftables`][network::kernel-nftables]. Other software outside of DMS may also manipulate these rules, such as firewall frontends.
 - **IPv6:**
-    - Requires [additional configuration][docs-ipv6] to prevent or properly support IPv6 connections (eg: Preservering the Client IP).
+    - Requires [additional configuration][docs-ipv6] to prevent or properly support IPv6 connections (eg: Preserving the Client IP).
    - Support in 2023 is still considered experimental. You are advised to use at least Docker Engine `v23` (2023Q1).
    - Various networking bug fixes have been addressed since the intitial IPv6 support arrived in Docker Engine `v20.10.0` (2020Q4).

 ### System

 - **Kernel:** Some systems provide [kernels with modifications (_replacing defaults and backporting patches_)][network::kernels-modified] to support running legacy software or kernels, complicating compatibility. This can be commonly experienced with products like NAS.
- **CGroups v2:** Hosts running older kernels (prior to 5.2) and systemd (prior to v244) are not likely to leverage cgroup v2, or have not defaulted to the cgroup v2 `unified` hierarchy. Not meeting this baseline may influence the behaviour of your DMS container, even with the latest Docker Engine installed. 
- **Rootless containers** have additional constraints that vary by container runtime (_Docker, Podman, etc - which already have subtle differences_).
-    - This can introduce differences such as for container networking which may further impact support for IPv6 and preserving the client IP (Remote address).
+- **CGroups v2:** Hosts running older kernels (prior to 5.2) and systemd (prior to v244) are not likely to leverage cgroup v2, or have not defaulted to the cgroup v2 `unified` hierarchy. Not meeting this baseline may influence the behaviour of your DMS container, even with the latest Docker Engine installed.
+- **Container runtime:** Docker and Podman for example have subtle differences. DMS docs are primarily focused on Docker, but we try to document known issues where relevant.
+- **Rootless containers:** Introduces additional differences in behaviour or requirements:
    - cgroup v2 is required for supporting rootless containers.
-	
+    - Differences such as for container networking which may further affect support for IPv6 and preserving the client IP (Remote address). Example with Docker rootless are [binding a port to a specific interface][docker-rootless-interface] and the choice of [port forwarding driver][docs-rootless-portdriver].
+
 [network::docker-userlandproxy]: https://github.com/moby/moby/issues/44721
 [network::docker-nftables]: https://github.com/moby/moby/issues/26824
 [network::kernels-modified]: https://github.com/docker-mailserver/docker-mailserver/pull/2662#issuecomment-1168435970
@ -83,3 +85,7 @@ This could be from outdated software updates, or running a system that isn't abl
 [docs-introduction]: ../introduction.md
 [docs-usage]: ../usage.md
 [gh-issues]: https://github.com/docker-mailserver/docker-mailserver/issues
+[gh-discuss-roundcube-fail2ban]: https://github.com/orgs/docker-mailserver/discussions/3273#discussioncomment-5654603
+
+[docker-rootless-interface]: https://github.com/moby/moby/issues/45742
+[docs-rootless-portdriver]: ./security/fail2ban.md#running-inside-a-rootless-container