Skip to content

[28.x backport] Unmap IPv4 addresses loaded from store #50829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thaJeztah merged 1 commit into from
Aug 27, 2025
Merged

[28.x backport] Unmap IPv4 addresses loaded from store #50829

thaJeztah merged 1 commit into from
Aug 27, 2025

Conversation

@robmry
Copy link
Contributor

@robmry robmry commented Aug 27, 2025
edited by vvoland
Loading

- What I did

IPv4-mapped IPv6 addresses are accepted by iptables, and do the right thing (so there's no obvious behavioural change). But, maybe this will help with the linked issue, or at-least rule out a potential difference from rules in 28.0.x.

- How I did it

When converting an endpoint's IPv4 net.IPNet to a netip.Addr, unmap it so that iptables rules don't contain IPv4-mapped IPv6 addresses - which they do otherwise, when the net.IPNet is loaded from the store.

- How to verify it

  • Enable live-restore.
  • docker network create b4
  • docker run -d --rm --network b4 --name c1 busybox top
  • Restart the daemon.

Without the change ...

DEBU[2025-08-27T16:21:36.545721342Z] Network (33c8cf6) restored
DEBU[2025-08-27T16:21:36.545868426Z] /usr/sbin/iptables, [--wait -t raw -C PREROUTING -d ::ffff:172.19.0.2 ! -i br-c4ed16cae1fd -j DROP]
DEBU[2025-08-27T16:21:36.546533634Z] Endpoint (8f9cd0f) restored to network (c4ed16c)

With the change ...

DEBU[2025-08-27T16:20:24.777808878Z] Network (170c742) restored
DEBU[2025-08-27T16:20:24.777946628Z] /usr/sbin/iptables, [--wait -t raw -C PREROUTING -d 172.19.0.2 ! -i br-c4ed16cae1fd -j DROP]
DEBU[2025-08-27T16:20:24.778534628Z] Endpoint (8f9cd0f) restored to network (c4ed16c)

- Human readable description for the release notes

- Fix an issue that could cause slow container restart on live-restore.

@robmry
Unmap IPv4 addresses loaded from store
31f4059 
When a endpoint's net.IPNet is loaded from store and converted
to a netip.Addr, unmap it so that iptables rules don't contain
IPv4-mapped IPv6 addresses.

Signed-off-by: Rob Murray <[email protected]>
(cherry picked from commit 071e647)
Signed-off-by: Rob Murray <[email protected]>
@robmry robmry added this to the 28.4.0 milestone Aug 27, 2025
@robmry robmry self-assigned this Aug 27, 2025
@robmry robmry requested a review from thaJeztah August 27, 2025 18:55
thaJeztah
thaJeztah approved these changes Aug 27, 2025
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah merged commit 314a8f8 into moby:28.x Aug 27, 2025
170 checks passed
@robmry robmry mentioned this pull request Aug 28, 2025
Closed
@jtgasper3 jtgasper3 mentioned this pull request Sep 27, 2025
Merged
@robmry robmry deleted the backport-28.x/unmap_endpoint_addresses branch November 26, 2025 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees

@robmry robmry

Labels

area/networking/d/bridge Networking area/networking Networking impact/changelog kind/bugfix PR's that fix bugs version/28.2

Projects

None yet

Milestone

28.4.0

Development

Successfully merging this pull request may close these issues.

2 participants

@robmry @thaJeztah