moby
diff --git a/‎integration/networking/bridge_test.go
Lines changed: 36 additions & 0 deletions b/‎integration/networking/bridge_test.go
Lines changed: 36 additions & 0 deletions
diff --git a/‎libnetwork/drivers/bridge/port_mapping_linux.go
Lines changed: 15 additions & 12 deletions b/‎libnetwork/drivers/bridge/port_mapping_linux.go
Lines changed: 15 additions & 12 deletions
diff --git a/‎libnetwork/drivers/bridge/port_mapping_linux_test.go
Lines changed: 25 additions & 3 deletions b/‎libnetwork/drivers/bridge/port_mapping_linux_test.go
Lines changed: 25 additions & 3 deletions
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/http"
 	"os/exec"
 	"regexp"
 	"runtime"
@@ -1055,3 +1056,38 @@ func TestPortMappedHairpin(t *testing.T) {
 	defer c.ContainerRemove(ctx, res.ContainerID, containertypes.RemoveOptions{Force: true})
 	assert.Check(t, is.Contains(res.Stderr.String(), "404 Not Found"))
 }
+
+// Check that a container on an IPv4-only network can have a port mapping
+// from a specific IPv6 host address (using docker-proxy).
+// Regression test for https://github.com/moby/moby/issues/48067 (which
+// is about incorrectly reporting this as invalid config).
+func TestProxy4To6(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType == "windows", "uses bridge network and docker-proxy")
+	skip.If(t, testEnv.IsRootless)
+
+	ctx := setupTest(t)
+	d := daemon.New(t)
+	d.StartWithBusybox(ctx, t)
+	defer d.Stop(t)
+
+	c := d.NewClientT(t)
+	defer c.Close()
+
+	const netName = "ipv4net"
+	network.CreateNoError(ctx, t, c, netName)
+
+	serverId := container.Run(ctx, t, c,
+		container.WithNetworkMode(netName),
+		container.WithExposedPorts("80"),
+		container.WithPortMap(nat.PortMap{"80": {{HostIP: "::1"}}}),
+		container.WithCmd("httpd", "-f"),
+	)
+	defer c.ContainerRemove(ctx, serverId, containertypes.RemoveOptions{Force: true})
+
+	inspect := container.Inspect(ctx, t, c, serverId)
+	hostPort := inspect.NetworkSettings.Ports["80/tcp"][0].HostPort
+
+	resp, err := http.Get("http://[::1]:" + hostPort)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(resp.StatusCode, 404))
+}
@@ -60,9 +60,7 @@ func (n *bridgeNetwork) addPortMappings(
 	}
 
 	disableNAT4, disableNAT6 := n.getNATDisabled()
-	if err := validatePortBindings(cfg,
-		!disableNAT4 && len(containerIPv4) > 0,
-		!disableNAT6 && len(containerIPv6) > 0); err != nil {
+	if err := validatePortBindings(cfg, !disableNAT4, !disableNAT6, containerIPv6); err != nil {
 		return nil, err
 	}
 
@@ -157,27 +155,32 @@ const validationErrLimit = 6
 // docker-proxy is used to forward between the default IPv6 address and the
 // container's IPv4. So, simply disallowing a non-zero IPv6 default when NAT6
 // is disabled for the network would be incorrect.)
-func validatePortBindings(pbs []types.PortBinding, nat4, nat6 bool) error {
+func validatePortBindings(pbs []types.PortBinding, nat4, nat6 bool, cIPv6 net.IP) error {
 	var errs []error
 	for i := range pbs {
 		pb := &pbs[i]
 		disallowHostPort := false
 		if !nat4 && len(pb.HostIP) > 0 && pb.HostIP.To4() != nil && !pb.HostIP.Equal(net.IPv4zero) {
 			// There's no NAT4, so don't allow a nonzero IPv4 host address in the mapping. The port will
-			// accessible via any host interface.
+			// be accessible via any host interface.
 			errs = append(errs,
 				fmt.Errorf("NAT is disabled, omit host address in port mapping %s, or use 0.0.0.0::%d to open port %d for IPv4-only",
 					pb, pb.Port, pb.Port))
 			// The mapping is IPv4-specific but there's no NAT4, so a host port would make no sense.
 			disallowHostPort = true
 		} else if !nat6 && len(pb.HostIP) > 0 && pb.HostIP.To4() == nil && !pb.HostIP.Equal(net.IPv6zero) {
-			// There's no NAT6, so don't allow an IPv6 host address in the mapping. The port will
-			// accessible via any host interface.
-			errs = append(errs,
-				fmt.Errorf("NAT is disabled, omit host address in port mapping %s, or use [::]::%d to open port %d for IPv6-only",
-					pb, pb.Port, pb.Port))
-			// The mapping is IPv6-specific but there's no NAT6, so a host port would make no sense.
-			disallowHostPort = true
+			// If the container has no IPv6 address, the userland proxy will proxy between the
+			// host's IPv6 address and the container's IPv4. So, even with no NAT6, it's ok for
+			// an IPv6 port mapping to include a specific host address or port.
+			if len(cIPv6) > 0 {
+				// There's no NAT6, so don't allow an IPv6 host address in the mapping. The port will
+				// accessible via any host interface.
+				errs = append(errs,
+					fmt.Errorf("NAT is disabled, omit host address in port mapping %s, or use [::]::%d to open port %d for IPv6-only",
+						pb, pb.Port, pb.Port))
+				// The mapping is IPv6-specific but there's no NAT6, so a host port would make no sense.
+				disallowHostPort = true
+			}
 		} else if !nat4 && !nat6 {
 			// There's no NAT, so it would make no sense to specify a host port.
 			disallowHostPort = true
 
@@ -186,6 +186,7 @@ func TestValidatePortBindings(t *testing.T) {
 		name    string
 		nat4    bool
 		nat6    bool
+		ctrIPv6 net.IP
 		pbs     []types.PortBinding
 		expErrs []string
 	}{
@@ -196,7 +197,8 @@ func TestValidatePortBindings(t *testing.T) {
 			},
 		},
 		{
-			name: "no nat with addrs",
+			name:    "no nat with addrs",
+			ctrIPv6: newIPNet(t, "fd2c:b48c:69fb::2/128").IP,
 			pbs: []types.PortBinding{
 				{Proto: types.TCP, HostIP: newIPNet(t, "233.252.0.2/24").IP, Port: 80},
 				{Proto: types.TCP, HostIP: newIPNet(t, "2001:db8::2/64").IP, Port: 80},
@@ -246,7 +248,16 @@ func TestValidatePortBindings(t *testing.T) {
 			},
 		},
 		{
-			name: "no nat and addrs and ports",
+			name: "nat4 and addrs and ports",
+			nat4: true,
+			pbs: []types.PortBinding{
+				{Proto: types.TCP, HostIP: newIPNet(t, "233.252.0.2/24").IP, HostPort: 8080, Port: 80},
+				{Proto: types.TCP, HostIP: newIPNet(t, "2001:db8::2/64").IP, HostPort: 8080, Port: 80},
+			},
+		},
+		{
+			name:    "no nat and addrs and ports",
+			ctrIPv6: newIPNet(t, "fd2c:b48c:69fb::2/128").IP,
 			pbs: []types.PortBinding{
 				{Proto: types.TCP, HostIP: newIPNet(t, "233.252.0.2/24").IP, HostPort: 8080, Port: 80},
 				{Proto: types.TCP, HostIP: newIPNet(t, "2001:db8::2/64").IP, HostPort: 8080, Port: 80},
@@ -258,6 +269,17 @@ func TestValidatePortBindings(t *testing.T) {
 				"host port must not be specified in mapping [2001:db8::2]:8080:80/tcp because NAT is disabled",
 			},
 		},
+		{
+			name: "no nat no ctrIPv6 and addrs and ports",
+			pbs: []types.PortBinding{
+				{Proto: types.TCP, HostIP: newIPNet(t, "233.252.0.2/24").IP, HostPort: 8080, Port: 80},
+				{Proto: types.TCP, HostIP: newIPNet(t, "2001:db8::2/64").IP, HostPort: 8080, Port: 80},
+			},
+			expErrs: []string{
+				"NAT is disabled, omit host address in port mapping 233.252.0.2:8080:80/tcp, or use 0.0.0.0::80 to open port 80 for IPv4-only",
+				"host port must not be specified in mapping 233.252.0.2:8080:80/tcp because NAT is disabled",
+			},
+		},
 		{
 			name: "max errs reached",
 			pbs: []types.PortBinding{
@@ -283,7 +305,7 @@ func TestValidatePortBindings(t *testing.T) {
 	for _, tc := range testcases {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
-			err := validatePortBindings(tc.pbs, tc.nat4, tc.nat6)
+			err := validatePortBindings(tc.pbs, tc.nat4, tc.nat6, tc.ctrIPv6)
 			if tc.expErrs == nil {
 				assert.Check(t, err)
 			} else {