portmap: fix CHECK for nftables backend

champtar · champtar · commit f12dcbc6d6cb · 2025-11-05T11:27:30.000-05:00
Fixes 01a94e1 Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
diff --git a/plugins/meta/portmap/portmap_nftables.go b/plugins/meta/portmap/portmap_nftables.go
@@ -246,14 +246,24 @@ func (pmNFT *portMapperNFTables) checkPorts(config *PortMapConf, containerNet ne
 	var hostPorts, hostIPHostPorts, masqueradings int
 	for _, e := range config.RuntimeConfig.PortMaps {
 		if e.HostIP != "" {
-			hostIPHostPorts++
+			hostIP := net.ParseIP(e.HostIP)
+			isHostV6 := (hostIP.To4() == nil)
+			// Ignore wrong-IP-family HostIPs
+			if isV6 != isHostV6 {
+				continue
+			}
+			if hostIP.IsUnspecified() {
+				hostPorts++
+			} else {
+				hostIPHostPorts++
+			}
 		} else {
 			hostPorts++
 		}
 	}
 	if *config.SNAT {
-		masqueradings = len(config.RuntimeConfig.PortMaps)
-		if isV6 {
+		masqueradings = 1
+		if !isV6 {
 			masqueradings *= 2
 		}
 	}
diff --git a/plugins/meta/portmap/portmap_nftables_test.go b/plugins/meta/portmap/portmap_nftables_test.go
@@ -45,7 +45,7 @@ var _ = Describe("portmapping configuration (nftables)", func() {
 				}
 			})
 
-			It(fmt.Sprintf("[%s] generates correct rules on ADD", ver), func() {
+			It(fmt.Sprintf("[%s] generates correct rules", ver), func() {
 				configBytes := []byte(fmt.Sprintf(`{
 					"name": "test",
 					"type": "portmap",
@@ -72,10 +72,13 @@ var _ = Describe("portmapping configuration (nftables)", func() {
 				Expect(err).NotTo(HaveOccurred())
 				conf.ContainerID = containerID
 
-				containerNet, err := types.ParseCIDR("10.0.0.2/24")
+				containerNet4, err := types.ParseCIDR("10.0.0.2/24")
 				Expect(err).NotTo(HaveOccurred())
 
-				err = pmNFT.forwardPorts(conf, *containerNet)
+				err = pmNFT.forwardPorts(conf, *containerNet4)
+				Expect(err).NotTo(HaveOccurred())
+
+				err = pmNFT.checkPorts(conf, *containerNet4)
 				Expect(err).NotTo(HaveOccurred())
 
 				expectedRules := strings.TrimSpace(`
@@ -103,10 +106,13 @@ add rule ip cni_hostport prerouting a b jump hostports
 
 				// Disable snat, generate IPv6 rules
 				*conf.SNAT = false
-				containerNet, err = types.ParseCIDR("2001:db8::2/64")
+				containerNet6, err := types.ParseCIDR("2001:db8::2/64")
+				Expect(err).NotTo(HaveOccurred())
+
+				err = pmNFT.forwardPorts(conf, *containerNet6)
 				Expect(err).NotTo(HaveOccurred())
 
-				err = pmNFT.forwardPorts(conf, *containerNet)
+				err = pmNFT.checkPorts(conf, *containerNet6)
 				Expect(err).NotTo(HaveOccurred())
 
 				expectedRules = strings.TrimSpace(`
