@@ -739,11 +739,22 @@ func (daemon *Daemon) connectToNetwork(ctx context.Context, cfg *config.Config,

 			delete(ctr.NetworkSettings.Networks, nwName)

 		}

 	}()

-	if err := daemon.updateEndpointNetworkSettings(cfg, ctr, n, ep); err != nil {

-		return err

-	}

 	if nwName == network.DefaultNetwork {

+		// Legacy links must be prepared before the Endpoint.Join, because the network

+		// driver needs info about them - and, the daemon's network settings need to be

+		// filled-in for daemon.addLegacyLinks(). So, set up both here.

+		//

+		// However, this means if the Endpoint.Join drops the endpoint's IPv6 address

+		// (because there's a sysctl setting or some equivalent disabling IPv6 on the

+		// interface), host entries set up by addLegacyLinks() for IPv6 addresses of the

+		// linked container will be left behind in the container's /etc/hosts file. It

+		// won't be able to use those addresses, because it won't have IPv6 on that

+		// interface. So, even if the address is recycled by another container on the

+		// network, the old hosts entry can't access the wrong container.

+		if err := daemon.updateEndpointNetworkSettings(cfg, ctr, n, ep); err != nil {

+			return err

+		}

 		if err := daemon.addLegacyLinks(ctx, cfg, ctr, endpointConfig, sb); err != nil {

 			return err

 		}

@@ -754,10 +765,17 @@ func (daemon *Daemon) connectToNetwork(ctx context.Context, cfg *config.Config,

 		return err

 	}

+	// Connect the container to the network. Note that this will release the IPv6

+	// address assigned to the Endpoint, if IPv6 is disabled on the interface

+	// (probably by an endpoint specific sysctl setting).

 	if err := ep.Join(ctx, sb, joinOptions...); err != nil {

 		return err

 	}

+	if err := daemon.updateEndpointNetworkSettings(cfg, ctr, n, ep); err != nil {

+		return err

+	}

+

 	if !ctr.Managed {

 		// add container name/alias to DNS

 		if err := daemon.ActivateContainerServiceBinding(ctr.Name); err != nil {

@@ -107,6 +107,15 @@ type ExtConner interface {

 	ProgramExternalConnectivity(ctx context.Context, nid, eid string, gw4Id, gw6Id string) error

 }

+// IPv6Releaser is an optional interface for a network driver.

+type IPv6Releaser interface {

+	// ReleaseIPv6 tells the driver that an endpoint has no IPv6 address, even

+	// if the options passed to Driver.CreateEndpoint specified an address. This

+	// happens when, for example, sysctls applied after configuring the interface

+	// disable IPv6.

+	ReleaseIPv6(ctx context.Context, nid, eid string) error

+}

+

 // GwAllocChecker is an optional interface for a network driver.

 type GwAllocChecker interface {

 	// GetSkipGwAlloc returns true if the opts describe a network

@@ -127,7 +127,6 @@ type containerConfiguration struct {

 type connectivityConfiguration struct {

 	PortBindings []portmapperapi.PortBindingReq

 	ExposedPorts []types.TransportPort

-	NoProxy6To4  bool

 }

 type bridgeEndpoint struct {

@@ -167,6 +166,9 @@ type driver struct {

 	mu sync.Mutex

 }

+// Assert that the driver is a driverapi.IPv6Releaser.

+var _ driverapi.IPv6Releaser = (*driver)(nil)

+

 type gwMode string

 const (

@@ -1437,6 +1439,29 @@ func (d *driver) Join(ctx context.Context, nid, eid string, sboxKey string, jinf

 	return nil

 }

+func (d *driver) ReleaseIPv6(ctx context.Context, nid, eid string) error {

+	network, err := d.getNetwork(nid)

+	if err != nil {

+		return err

+	}

+

+	endpoint, err := network.getEndpoint(eid)

+	if err != nil {

+		return err

+	}

+

+	if endpoint == nil {

+		return endpointNotFoundError(eid)

+	}

+

+	_, netip6 := endpoint.netipAddrs()

+	if err := network.firewallerNetwork.DelEndpoint(ctx, netip.Addr{}, netip6); err != nil {

+		return fmt.Errorf("removing firewall rules while releasing IPv6 address: %v", err)

+	}

+	endpoint.addrv6 = nil

+	return nil

+}

+

 // Leave method is invoked when a Sandbox detaches from an endpoint.

 func (d *driver) Leave(nid, eid string) error {

 	network, err := d.getNetwork(nid)

@@ -531,6 +531,8 @@ func (ep *Endpoint) sbJoin(ctx context.Context, sb *Sandbox, options ...Endpoint

 		return fmt.Errorf("failed to get driver during join: %v", err)

 	}

+	// Tell the driver about the new endpoint. The driver populates ep.joinInfo using

+	// the Endpoint's JoinInfo interface.

 	if err := d.Join(ctx, nid, epid, sb.Key(), ep, ep.generic, sb.Labels()); err != nil {

 		return err

 	}

@@ -938,7 +940,7 @@ func (ep *Endpoint) Delete(ctx context.Context, force bool) error {

 		return err

 	}

-	ep.releaseAddress()

+	ep.releaseIPAddresses()

 	return nil

 }

@@ -1228,7 +1230,7 @@ func (ep *Endpoint) assignAddressVersion(ipVer int, ipam ipamapi.Ipam) error {

 	return fmt.Errorf("no available IPv%d addresses on this network's address pools: %s (%s)", ipVer, n.Name(), n.ID())

 }

-func (ep *Endpoint) releaseAddress() {

+func (ep *Endpoint) releaseIPAddresses() {

 	n := ep.getNetwork()

 	if n.hasSpecialDriver() {

 		return

@@ -1255,6 +1257,53 @@ func (ep *Endpoint) releaseAddress() {

 	}

 }

+func (ep *Endpoint) releaseIPv6Address(ctx context.Context) error {

+	n := ep.network

+	ctx = log.WithLogger(ctx, log.G(ctx).WithFields(log.Fields{

+		"net": n.Name(),

+		"ep":  ep.name,

+		"ip":  ep.iface.addrv6,

+	}))

+

+	if ep.iface.addrv6 == nil || n.hasSpecialDriver() {

+		return nil

+	}

+

+	log.G(ctx).Debug("Releasing IPv6 address for endpoint")

+

+	ipam, _, err := n.getController().getIPAMDriver(n.ipamType)

+	if err != nil {

+		log.G(ctx).WithError(err).Warn("Failed to retrieve ipam driver to release IPv6 address")

+		return err

+	}

+

+	if err := ipam.ReleaseAddress(ep.iface.v6PoolID, ep.iface.addrv6.IP); err != nil {

+		log.G(ctx).WithError(err).Warn("Failed to release IPv6 address")

+		return err

+	}

+

+	ep.iface.addrv6 = nil

+	if ep.joinInfo != nil {

+		ep.joinInfo.gw6 = nil

+	}

+

+	d, err := n.driver(true)

+	if err != nil {

+		return fmt.Errorf("fetching driver to release IPv6 address: %v", err)

+	}

+	if dr, ok := d.(driverapi.IPv6Releaser); ok {

+		if err := dr.ReleaseIPv6(ctx, n.id, ep.id); err != nil {

+			return fmt.Errorf("releasing IPv6 address: %v", err)

+		}

+	}

+

+	if err := ep.network.getController().updateToStore(ctx, ep); err != nil {

+		return err

+	}

+

+	return nil

+}

+

 func (c *Controller) cleanupLocalEndpoints() error {

 	// Get used endpoints

 	eps := make(map[string]any)

@@ -1240,7 +1240,7 @@ func (n *Network) createEndpoint(ctx context.Context, name string, options ...En

 	}

 	defer func() {

 		if err != nil {

-			ep.releaseAddress()

+			ep.releaseIPAddresses()

 		}

 	}()

@@ -228,6 +228,9 @@ func moveLink(ctx context.Context, nlhHost nlwrap.Handle, iface netlink.Link, i

 // an auto-generated dest name that combines the provided dstPrefix and a

 // numeric suffix.

 //

+// If an IPv6 address is configured, but unused because of sysctl settings applied

+// after address assignment, it will be removed from the Interface.

+//

 // It's safe to call concurrently.

 func (n *Namespace) AddInterface(ctx context.Context, srcName, dstPrefix, dstName string, options ...IfaceOption) error {

 	ctx, span := otel.Tracer("").Start(ctx, "libnetwork.osl.AddInterface", trace.WithAttributes(

@@ -874,6 +877,23 @@ func (n *Namespace) configureInterface(ctx context.Context, nlh nlwrap.Handle, i

 		return err

 	}

+	// If an IPv6 address was configured, and now it's gone away, it's because of a sysctl

+	// setting. Remove the address from the Interface so that there's no attempt to send

+	// Neighbour Advertisements for it, and the caller knows to release the address.

+	if i.addressIPv6 != nil {

+		v6addrs, err := nlh.AddrList(iface, netlink.FAMILY_V6)

+		if err != nil {

+			return fmt.Errorf("failed to check IPv6 addresses: %v", err)

+		}

+		if len(v6addrs) == 0 {

+			log.G(ctx).WithFields(log.Fields{

+				"ip":     i.addressIPv6.String(),

+				"ifname": i.dstName,

+			}).Debug("IPv6 address not present after applying sysctls")

+			i.addressIPv6 = nil

+		}

+	}

+

 	return nil

 }

@@ -249,7 +249,8 @@ func (n *Namespace) Interfaces() []*Interface {

 	return ifaces

 }

-func (n *Namespace) ifaceBySrcName(srcName string) *Interface {

+// InterfaceBySrcName returns a pointer to the Interface with a matching srcName, else nil.

+func (n *Namespace) InterfaceBySrcName(srcName string) *Interface {

 	n.mu.Lock()

 	defer n.mu.Unlock()

 	for _, iface := range n.iFaces {

@@ -505,7 +506,6 @@ func (n *Namespace) IPv6LoEnabled() bool {

 func (n *Namespace) RefreshIPv6LoEnabled() {

 	n.mu.Lock()

 	defer n.mu.Unlock()

-

 	// If anything goes wrong, assume no-IPv6.

 	n.ipv6LoEnabledCached = false

 	iface, err := n.nlHandle.LinkByName("lo")

@@ -240,7 +240,7 @@ func (n *Namespace) SetDefaultRouteIPv6(srcName string) error {

 }

 func (n *Namespace) setDefaultRoute(srcName string, routeMatcher func(*net.IPNet) bool) error {

-	iface := n.ifaceBySrcName(srcName)

+	iface := n.InterfaceBySrcName(srcName)

 	if iface == nil {

 		return errors.New("no interface")

 	}

@@ -308,7 +308,7 @@ func (n *Namespace) unsetDefaultRoute(srcName string, routeMatcher func(*net.IPN

 		return nil

 	}

-	iface := n.ifaceBySrcName(srcName)

+	iface := n.InterfaceBySrcName(srcName)

 	if iface == nil {

 		return nil

 	}

@@ -326,6 +326,17 @@ func (sb *Sandbox) addEndpoint(ep *Endpoint) {

 	sb.endpoints = slices.Insert(sb.endpoints, i, ep)

 }

+func (sb *Sandbox) updateGwPriorityOrdering(ep *Endpoint) {

+	sb.mu.Lock()

+	defer sb.mu.Unlock()

+

+	sb.endpoints = slices.DeleteFunc(sb.endpoints, func(other *Endpoint) bool { return other.id == ep.id })

+	i := sort.Search(len(sb.endpoints), func(j int) bool {

+		return ep.Less(sb.endpoints[j])

+	})

+	sb.endpoints = slices.Insert(sb.endpoints, i, ep)

+}

+

 func (sb *Sandbox) populateNetworkResources(ctx context.Context, ep *Endpoint) (retErr error) {

 	ctx, span := otel.Tracer("").Start(ctx, "libnetwork.Sandbox.populateNetworkResources", trace.WithAttributes(

 		attribute.String("endpoint.Name", ep.Name())))

@@ -398,6 +398,21 @@ func (sb *Sandbox) populateNetworkResourcesOS(ctx context.Context, ep *Endpoint)

 			return fmt.Errorf("failed to add interface %s to sandbox: %v", i.srcName, err)

 		}

+		// If IPv6 is configured and the address isn't on the interface, it was applied successfully

+		// but then removed by a sysctl setting. Release the address and update the interface config.

+		if i.addrv6 != nil && !inDelete {

+			if oslIface := sb.osSbox.InterfaceBySrcName(i.srcName); oslIface != nil {

+				if oslIface.AddressIPv6() == nil {

+					if err := ep.releaseIPv6Address(ctx); err != nil {

+						return err

+					}

+					// The Sandbox's list of endpoints is sorted based on IPv6 connectivity, so

+					// make sure this one's in the right place.

+					sb.updateGwPriorityOrdering(ep)

+				}

+			}

+		}

+

 		if len(ep.virtualIP) > 0 && lbModeIsDSR {

 			if sb.loadBalancerNID == "" {

 				if err := sb.osSbox.DisableARPForVIP(i.srcName); err != nil {

@@ -1117,6 +1117,10 @@ func buildEndpointInfo(networkSettings *network.Settings, n *libnetwork.Network,

 		onesv6, _ := iface.AddressIPv6().Mask.Size()

 		networkSettings.Networks[nwName].GlobalIPv6Address = iface.AddressIPv6().IP.String()

 		networkSettings.Networks[nwName].GlobalIPv6PrefixLen = onesv6

+	} else {

+		// If IPv6 was disabled on the interface, and its address was removed, remove it here too.

+		networkSettings.Networks[nwName].GlobalIPv6Address = ""

+		networkSettings.Networks[nwName].GlobalIPv6PrefixLen = 0

 	}

 	return nil

@@ -31,6 +31,7 @@ import (

 	"github.com/moby/moby/v2/internal/testutil/daemon"

 	"gotest.tools/v3/assert"

 	is "gotest.tools/v3/assert/cmp"

+	"gotest.tools/v3/icmd"

 	"gotest.tools/v3/skip"

 )

@@ -1025,6 +1026,81 @@ func TestDisableIPv6Addrs(t *testing.T) {

 	}

 }

+// TestDisableIPv6OnInterface checks that it's possible to disable IPv6 on an

+// endpoint in an IPv6 network using a sysctl.

+func TestDisableIPv6OnInterface(t *testing.T) {

+	ctx := setupTest(t)

+	d := daemon.New(t)

+	d.StartWithBusybox(ctx, t, "--ipv6")

+	defer d.Stop(t)

+

+	c := d.NewClientT(t)

+	defer c.Close()

+

+	tests := []struct {

+		name    string

+		netName string

+	}{

+		{

+			name:    "default bridge",

+			netName: "bridge",

+		},

+		{

+			name:    "user defined bridge",

+			netName: "testnet",

+		},

+	}

+

+	for _, tc := range tests {

+		t.Run(tc.netName, func(t *testing.T) {

+			if tc.netName != "bridge" {

+				network.CreateNoError(ctx, t, c, tc.netName, network.WithIPv6())

+				defer network.RemoveNoError(ctx, t, c, tc.netName)

+			}

+

+			const ctrName = "ctr"

+			ctrId := container.Run(ctx, t, c,

+				container.WithName(ctrName),

+				container.WithNetworkMode(tc.netName),

+				container.WithExposedPorts("80/tcp"),

+				container.WithPortMap(containertypes.PortMap{"80/tcp": {{HostPort: "8080"}}}),

+				container.WithEndpointSettings(tc.netName, &networktypes.EndpointSettings{

+					DriverOpts: map[string]string{

+						netlabel.EndpointSysctls: "net.ipv6.conf.IFNAME.disable_ipv6=1",

+					},

+				}),

+			)

+			defer c.ContainerRemove(ctx, ctrId, client.ContainerRemoveOptions{Force: true})

+

+			// The interface should not have any IPv6 addresses.

+			execRes := container.ExecT(ctx, t, c, ctrId, []string{"ip", "a", "show", "eth0"})

+			assert.Check(t, !strings.Contains(execRes.Stdout(), "inet6"),

+				"Unexpected IPv6 address in: %s", execRes.Stdout())

+

+			// Inspect should not show an IPv6 container address.

+			inspRes2 := container.Inspect(ctx, t, c, ctrId)

+			assert.Check(t, is.Equal("", inspRes2.NetworkSettings.Networks[tc.netName].GlobalIPv6Address))

+			assert.Check(t, is.Equal(0, inspRes2.NetworkSettings.Networks[tc.netName].GlobalIPv6PrefixLen))

+

+			// Port mappings should be IPv4-only - but can't see the proxy processes in the rootless netns.

+			if !testEnv.IsRootless() {

+				checkProxies(ctx, t, c, d.Pid(), []expProxyCfg{

+					{"tcp", "0.0.0.0", "8080", ctrName, tc.netName, true, "80"},

+					{"tcp", "::", "8080", ctrName, tc.netName, true, "80"},

+				})

+			}

+

+			// There should not be an IPv6 DNS or /etc/hosts entry.

+			runRes := container.RunAttach(ctx, t, c,

+				container.WithNetworkMode(tc.netName),

+				container.WithCmd("ping", "-6", ctrName),

+			)

+			assert.Check(t, is.Equal(runRes.ExitCode, 1))

+			assert.Check(t, is.Contains(runRes.Stderr.String(), "bad address"))

+		})

+	}

+}

+

 // Check that a container in a network with IPv4 disabled doesn't get

 // IPv4 addresses.

 func TestDisableIPv4(t *testing.T) {

@@ -1502,9 +1578,12 @@ func checkProxies(ctx context.Context, t *testing.T, c *client.Client, daemonPid

 	}

 	gotProxies := make([]string, 0, len(exp))

-	res, err := exec.Command("ps", "-f", "--ppid", strconv.Itoa(daemonPid)).CombinedOutput()

-	assert.NilError(t, err)

-	for _, line := range strings.Split(string(res), "\n") {

+	res := icmd.RunCommand("ps", "-f", "--ppid", strconv.Itoa(daemonPid))

+	if res.Error != nil {

+		t.Error(res)

+		return

+	}

+	for _, line := range strings.Split(res.Stdout(), "\n") {

 		_, args, ok := strings.Cut(line, "docker-proxy")

 		if !ok {

 			continue

@@ -1522,7 +1601,7 @@ func checkProxies(ctx context.Context, t *testing.T, c *client.Client, daemonPid

 		gotProxies = append(gotProxies, makeExpStr(proto, hostIP, hostPort, ctrIP, ctrPort))

 	}

-	assert.DeepEqual(t, gotProxies, wantProxies)

+	assert.Check(t, is.DeepEqual(gotProxies, wantProxies))

 }

 // Check that a gratuitous ARP / neighbour advertisement is sent for a new