From e8365e126ded10509feb8649df40781ae1a51cb7 Mon Sep 17 00:00:00 2001
From: Niels van Oosterom <xcelsion@users.noreply.github.com>
Date: Fri, 30 Aug 2019 13:03:06 +0200
Subject: [PATCH] Fixed issue where hostIP address family was not checked
 against the containerIP address family. closes #378

Signed-off-by: Niels van Oosterom <xcelsion@users.noreply.github.com>
---
 plugins/meta/portmap/portmap.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/plugins/meta/portmap/portmap.go b/plugins/meta/portmap/portmap.go
index 06b6d1d2..bd0be1fb 100644
--- a/plugins/meta/portmap/portmap.go
+++ b/plugins/meta/portmap/portmap.go
@@ -224,6 +224,16 @@ func fillDnatRules(c *chain, config *PortMapConf, containerIP net.IP) {
 	// the ordering is important here; the mark rules must be first.
 	c.rules = make([][]string, 0, 3*len(entries))
 	for _, entry := range entries {
+		// If a HostIP is given, only process the entry if host and container address families match
+		if entry.HostIP != "" {
+			hostIP := net.ParseIP(entry.HostIP)
+			isHostV6 := (hostIP.To4() == nil)
+
+			if isV6 != isHostV6 {
+				continue
+			}
+		}
+
 		ruleBase := []string{
 			"-p", entry.Protocol,
 			"--dport", strconv.Itoa(entry.HostPort)}