Back to Signal Feed
CodeTracked since May 19, 2026

mirrord now intercepts localhost IPv6 loopback traffic in IPv4-only pods

The PR fixes a bug in mirrord where IPv4-only Kubernetes pods with only `::1` as an IPv6 address skipped IPv6 availability detection, so localhost connections using IPv6 loopback were not captured by mirrord steal/mirror and bypassed local redirection.

mirrordip6tablesIP_VERSION_AVAILABILITYIPv6 loopback (::1)

What Happened

  • The PR fixes a bug in mirrord where IPv4-only Kubernetes pods with only `::1` as an IPv6 address skipped IPv6 availability detection, so localhost connections using IPv6 loopback were not captured by mirrord steal/mirror and bypassed local redirection.
  • The PR fixes a bug in mirrord where IPv4-only Kubernetes pods with only `::1` as an IPv6 address skipped IPv6 availability detection, so localhost connections using IPv6 loopback were not captured by mirrord steal/mirror and bypassed local redirection.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Adjusted IPv6 availability logic to stop excluding loopback addresses, so mirrord now treats `::1` as sufficient IPv6 presence and installs IPv6 OUTPUT NAT rules even when the pod lacks global IPv6 interfaces, ensuring localhost IPv6 traffic is captured instead of leaking to the in-cluster app.

Why Track This

Why It Matters

Developers and operators using mirrord with Go-sidecars or localhost-based tooling in IPv4-only clusters will stop losing request capture, because `localhost`-resolved IPv6 traffic (`[::1]:port`) will be mirrored to the local machine instead of bypassing diagnostics and observability flows. This is done by enabling IPv6 redirection setup when loopback is present, so the previous silent miss path is removed; teams should verify no regressions in mixed IPv4/IPv6 clusters and watch for unintended effects with existing IPv6 firewall rule sets.

Impact

Developers and operators using mirrord with Go-sidecars or localhost-based tooling in IPv4-only clusters will stop losing request capture, because `localhost`-resolved IPv6 traffic (`[::1]:port`) will be mirrored to the local machine instead of bypassing diagnostics and observability flows. This is done by enabling IPv6 redirection setup when loopback is present, so the previous silent miss path is removed; teams should verify no regressions in mixed IPv4/IPv6 clusters and watch for unintended effects with existing IPv6 firewall rule sets.

What To Watch Next

  • Watch whether mirrord becomes a repeated pattern.
  • Track follow-up changes around AI Debugging and Error Localization.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: mixed_ipv4_ipv6_cluster_regression, ip6tables_conflict_with_existing_nat_rules.
Open Topic TimelineOpen Technical EventOpen Original Sourcemixed_ipv4_ipv6_cluster_regression / ip6tables_conflict_with_existing_nat_rules / ipv6_loopback_detection_behavior

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

metalbear-co/mirrord PR #4277: fix: include IPv6 loopback in IP version availability check

It removes the IPv6 loopback exclusion in IP version availability detection, which enables creating `ip6tables` OUTPUT chain NAT rules and properly redirects `[::1]:port` traffic to the mirrord agent in IPv4-only clusters.