IPv4/IPv6 ports have differing behavior with firewalld #50694
Description
Description
On Fedora 42, docker sets up firewall rules with firewalld allowing bound ports to be accessed outside of the host by default. I.e. -p 5050:5050 allows remote hosts to connect to this host's port 5050 regardless of what the zone would usually permit (unless you intentionally override this in firewalld). This seems to only be true for IPv4, not IPv6?
More specifically, docker ensures that from connections from a remote host to the bound IPv4 port pass through the firewall, but this is not true for IPv6.
Reproduce
- Ensure firewalld is running
- Enable IPv6 for everything then start the docker daemon
- Run a container that listens for ACKs http requests expose the port, bind it to a port in both ipv4 and ipv6
-p myhost_ipv4:5050:5050 -p [myhost_ipv6]:5050:5050(for example) - From a remote host,
curl -4 -v http://myhost_ipv4:5050andcurl -6 -v http://myhost_ipv6:5050
The IPv4 request should work, the IPv6 request will fail (if firewalld logging is enabled you can see the rejection in dmesg of the host machine)
Expected behavior
Firewall rules for IPv4 and IPv6 bound ports should behave identically.
docker version
Client: Docker Engine - Community
Version: 28.3.3
API version: 1.51
Go version: go1.24.5
Git commit: 980b856
Built: Fri Jul 25 11:36:40 2025
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 28.3.3
API version: 1.51 (minimum version 1.24)
Go version: go1.24.5
Git commit: bea959c
Built: Fri Jul 25 11:33:31 2025
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.27
GitCommit: 05044ec0a9a75232cad458027ca83437aae3f4da
runc:
Version: 1.2.5
GitCommit: v1.2.5-0-g59923ef
docker-init:
Version: 0.19.0
GitCommit: de40ad0docker info
Client: Docker Engine - Community
Version: 28.3.3
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.26.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.39.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 5
Running: 3
Paused: 0
Stopped: 2
Images: 53
Server Version: 28.3.3
Storage Driver: overlay2
Backing Filesystem: btrfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
runc version: v1.2.5-0-g59923ef
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.15.9-201.fc42.x86_64
Operating System: Fedora Linux 42 (Workstation Edition)
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 62.64GiB
Name: Cryogenic
ID: ed88d9cb-bb99-42bd-9131-566f815d7a6c
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: REDACTED
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
Default Address Pools:
Base: 10.16.0.0/12, Size: 22Additional Info
Daemon config:
{
"iptables": true,
"ip6tables": true,
"default-address-pools" : [
{ "base": "10.16.0.0/12", "size": 22 }
]
}