From e19c3d9985759e4348f0302a4355a24e194dab53 Mon Sep 17 00:00:00 2001
From: Niels van Oosterom <niels@figata.nl>
Date: Fri, 30 Aug 2019 11:37:54 +0200
Subject: [PATCH] Fixed issue where hostIP address family was not checked
 against the containerIp address family

---
 plugins/meta/portmap/portmap.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/plugins/meta/portmap/portmap.go b/plugins/meta/portmap/portmap.go
index 06b6d1d20..a826ac4ca 100644
--- a/plugins/meta/portmap/portmap.go
+++ b/plugins/meta/portmap/portmap.go
@@ -224,6 +224,16 @@ func fillDnatRules(c *chain, config *PortMapConf, containerIP net.IP) {
 	// the ordering is important here; the mark rules must be first.
 	c.rules = make([][]string, 0, 3*len(entries))
 	for _, entry := range entries {
+		// If a HostIp is given, only process the entry if host and container address families match
+		if entry.HostIP != "" {
+			hostIp := net.ParseIP(entry.HostIP)
+			isHostV6 := (hostIp.To4() == nil)
+
+			if isV6 != isHostV6 {
+				continue
+			}
+		}
+
 		ruleBase := []string{
 			"-p", entry.Protocol,
 			"--dport", strconv.Itoa(entry.HostPort)}