added v6 rule for mgmt bridge with nftables

docs/manual/network.md

@@ -247,17 +247,22 @@ With this approach, users can prevent IP address overlap with nodes deployed on
 
 #### external access
 
-Containerlab will attempt to enable external access to the nodes by default. This means that external systems/hosts will be able to communicate with the nodes of your topology without requiring any manual iptables/nftables rules to be installed.
+Containerlab will attempt to enable external management access to the nodes by default. This means that external systems/hosts will be able to communicate with the nodes of your topology without requiring any manual iptables/nftables rules to be installed.
 
-To allow external communications containerlab installs a rule in the `DOCKER-USER` chain, allowing all packets targeting containerlab's management network. The rule looks like follows:
+To allow external communications containerlab installs a rule in the `DOCKER-USER` chain for v4 and v6, allowing all packets targeting containerlab's management network. The rule looks like follows:
 
 ```shell
-❯ sudo iptables -vnL DOCKER-USER
+sudo iptables -vnL DOCKER-USER
+```
+
+<div class="embed-result">
+```{.no-copy .no-select}
 Chain DOCKER-USER (1 references)
- pkts bytes target     prot opt in     out     source               destination         
+ pkts bytes target     prot opt in     out     source               destination
     0     0 ACCEPT     all  --  *      br-a8b9fc8b33a2  0.0.0.0/0            0.0.0.0/0            /* set by containerlab */
-12719   79M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0      
+12719   79M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
 ```
+</div>
 
 1. The `br-a8b9fc8b33a2` bridge interface is the interface that backs up the containerlab's management network (`clab` docker network).
 

runtime/docker/firewall.go

@@ -20,7 +20,7 @@ func (d *DockerRuntime) deleteFwdRule() (err error) {
 }
 
 // installFwdRule installs the `allow` rule for traffic destined to the nodes
-// on the clab management network.
+// on the clab management network for v4 and v6.
 // This rule is required for external access to the nodes.
 func (d *DockerRuntime) installFwdRule() (err error) {
 	if !*d.mgmt.ExternalAccess {

runtime/docker/firewall/nftables/client.go

@@ -90,11 +90,23 @@ func (c *NftablesClient) DeleteForwardingRules() error {
 	return nil
 }
 
-// InstallForwardingRules installs the forwarding rules.
+// InstallForwardingRules installs the forwarding rules for v4 and v6 address families.
 func (c *NftablesClient) InstallForwardingRules() error {
 	defer c.close()
 
-	rules, err := c.getRules(definitions.DockerFWUserChain, definitions.DockerFWTable, nftables.TableFamilyIPv4)
+	err := c.InstallForwardingRulesForAF(nftables.TableFamilyIPv4)
+	if err != nil {
+		return err
+	}
+
+	return c.InstallForwardingRulesForAF(nftables.TableFamilyIPv6)
+
+}
+
+// InstallForwardingRulesForAF installs the forwarding rules for the specified address family.
+func (c *NftablesClient) InstallForwardingRulesForAF(af nftables.TableFamily) error {
+
+	rules, err := c.getRules(definitions.DockerFWUserChain, definitions.DockerFWTable, af)
 	if err != nil {
 		return fmt.Errorf("%w. See http://containerlab.dev/manual/network/#external-access", err)
 	}
@@ -107,7 +119,7 @@ func (c *NftablesClient) InstallForwardingRules() error {
 	log.Debugf("Installing iptables rules for bridge %q", c.bridgeName)
 
 	// create a new rule
-	rule, err := c.newClabNftablesRule(definitions.DockerFWUserChain, definitions.DockerFWTable, nftables.TableFamilyIPv4, 0)
+	rule, err := c.newClabNftablesRule(definitions.DockerFWUserChain, definitions.DockerFWTable, af, 0)
 	if err != nil {
 		return err
 	}