Merge pull request #379 from xcelsion/fix-host-container-address-family-mismatch

Fix dual-stack support in meta/portmap
2019-09-11 17:16:36 +02:00 · 2019-09-11 17:16:36 +02:00 · 4bb288193c
commit 4bb288193c
parent 7e68430081 e8365e126d
1 changed files with 10 additions and 0 deletions
--- a/plugins/meta/portmap/portmap.go
+++ b/plugins/meta/portmap/portmap.go
@ -224,6 +224,16 @@ func fillDnatRules(c *chain, config *PortMapConf, containerIP net.IP) {
 	// the ordering is important here; the mark rules must be first.
 	c.rules = make([][]string, 0, 3*len(entries))
 	for _, entry := range entries {
+		// If a HostIP is given, only process the entry if host and container address families match
+		if entry.HostIP != "" {
+			hostIP := net.ParseIP(entry.HostIP)
+			isHostV6 := (hostIP.To4() == nil)
+
+			if isV6 != isHostV6 {
+				continue
+			}
+		}
+
 		ruleBase := []string{
 			"-p", entry.Protocol,
 			"--dport", strconv.Itoa(entry.HostPort)}