Skip to content

Fix incorrect validation of port mapping #48088

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 28, 2024
Merged

Fix incorrect validation of port mapping #48088

merged 1 commit into from
Jun 28, 2024
+76 −15

Conversation

robmry
Copy link
Contributor

@robmry robmry commented Jun 28, 2024
edited by thaJeztah
Loading

- What I did

In 27.0.1, #47871 added a check that no host address/port is included in a port mapping when NAT is disabled (because it'd be misleading, with no NAT the container port is opened but there's no mapping from the host).

A port mapping from a specific IPv6 host address can be used by a container on an IPv4-only network, docker-proxy makes the connection. That new validation erroneously reported an error for this situation.

- How I did it

Rather than treat a container with no IPv6 address as having no NAT6 (in !disableNAT6 && len(containerIPv6) > 0), ignore the presence of an address. Then, in the validation function special-case a container with no IPv6 address, allowing anything in an IPv6 port mapping.

- How to verify it

With an IPv4-only network, docker run --rm -ti --network nnn -p 127.0.0.1:8080:80 -p '[::1]:8080:80' nginx.

Updated unit tests, and new integration test.

- Description for the changelog

Fix a regression that incorrectly reported a port mapping from a host IPv6 address to an IPv4-only container as an error.

@robmry robmry added this to the 27.0.3 milestone Jun 28, 2024
@robmry robmry self-assigned this Jun 28, 2024
@thaJeztah thaJeztah modified the milestones: 27.0.3, 28.0.0 Jun 28, 2024
@robmry robmry force-pushed the 48067_fix_specific_ipv6_portmap_proxy_to_ipv4 branch from cd8d2d9 to 455d613 Compare June 28, 2024 15:36
@robmry
Fix incorrect validation of port mapping
dfbcddb 
Regression introduced in 01eecb6.

A port mapping from a specific IPv6 host address can be used
by a container on an IPv4-only network, docker-proxy makes the
connection.

Signed-off-by: Rob Murray <rob.murray@docker.com>
@robmry robmry force-pushed the 48067_fix_specific_ipv6_portmap_proxy_to_ipv4 branch from 455d613 to dfbcddb Compare June 28, 2024 16:32
@robmry robmry marked this pull request as ready for review June 28, 2024 17:17
@robmry robmry requested review from corhere and akerouanton June 28, 2024 17:17
thaJeztah
thaJeztah approved these changes Jun 28, 2024
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; thanks for the clear code-comments!

@thaJeztah thaJeztah merged commit c94586d into moby:master Jun 28, 2024
@thaJeztah thaJeztah mentioned this pull request Jun 28, 2024
Merged
@robmry robmry deleted the 48067_fix_specific_ipv6_portmap_proxy_to_ipv4 branch September 16, 2024 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corhere corhere corhere approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@akerouanton akerouanton Awaiting requested review from akerouanton

Assignees

@robmry robmry

Labels
area/networking/d/bridge Networking area/networking/ipv6 Networking area/networking/portmapping Networking area/networking Networking process/cherry-picked version/27.0
Projects
None yet
Milestone
28.0.0
Development

Successfully merging this pull request may close these issues.

NAT is disabled error when setting IPV6 loopback address in port mapping
3 participants
@robmry @corhere @thaJeztah