@@ -3,7 +3,7 @@

 # LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When

 # updating the binary version, consider updating github.com/docker/libnetwork

 # in vendor.conf accordingly

-: "${LIBNETWORK_COMMIT:=fa125a3512ee0f6187721c88582bf8c4378bd4d7}"

+: "${LIBNETWORK_COMMIT:=b3507428be5b458cb0e2b4086b13531fb0706e46}"

 install_proxy() {

 	case "$1" in

@@ -20,13 +20,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) {

 	out, _ = dockerCmd(c, "port", firstID, "80")

-	err := assertPortList(c, out, []string{"0.0.0.0:9876"})

+	err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})

 	// Port list is not correct

 	assert.NilError(c, err)

 	out, _ = dockerCmd(c, "port", firstID)

-	err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876"})

+	err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876", "80/tcp -> [::]:9876"})

 	// Port list is not correct

 	assert.NilError(c, err)

@@ -42,7 +42,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) {

 	out, _ = dockerCmd(c, "port", ID, "80")

-	err = assertPortList(c, out, []string{"0.0.0.0:9876"})

+	err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})

 	// Port list is not correct

 	assert.NilError(c, err)

@@ -50,8 +50,11 @@ func (s *DockerSuite) TestPortList(c *testing.T) {

 	err = assertPortList(c, out, []string{

 		"80/tcp -> 0.0.0.0:9876",

+		"80/tcp -> [::]:9876",

 		"81/tcp -> 0.0.0.0:9877",

+		"81/tcp -> [::]:9877",

 		"82/tcp -> 0.0.0.0:9878",

+		"82/tcp -> [::]:9878",

 	})

 	// Port list is not correct

 	assert.NilError(c, err)

@@ -69,7 +72,7 @@ func (s *DockerSuite) TestPortList(c *testing.T) {

 	out, _ = dockerCmd(c, "port", ID, "80")

-	err = assertPortList(c, out, []string{"0.0.0.0:9876", "0.0.0.0:9999"})

+	err = assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876", "0.0.0.0:9999", "[::]:9999"})

 	// Port list is not correct

 	assert.NilError(c, err)

@@ -78,8 +81,12 @@ func (s *DockerSuite) TestPortList(c *testing.T) {

 	err = assertPortList(c, out, []string{

 		"80/tcp -> 0.0.0.0:9876",

 		"80/tcp -> 0.0.0.0:9999",

+		"80/tcp -> [::]:9876",

+		"80/tcp -> [::]:9999",

 		"81/tcp -> 0.0.0.0:9877",

+		"81/tcp -> [::]:9877",

 		"82/tcp -> 0.0.0.0:9878",

+		"82/tcp -> [::]:9878",

 	})

 	// Port list is not correct

 	assert.NilError(c, err)

@@ -94,7 +101,10 @@ func (s *DockerSuite) TestPortList(c *testing.T) {

 			out, _ = dockerCmd(c, "port", IDs[i])

-			err = assertPortList(c, out, []string{fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i)})

+			err = assertPortList(c, out, []string{

+				fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i),

+				fmt.Sprintf("80/tcp -> [::]:%d", 9090+i),

+			})

 			// Port list is not correct

 			assert.NilError(c, err)

 		}

@@ -127,9 +137,13 @@ func (s *DockerSuite) TestPortList(c *testing.T) {

 	err = assertPortList(c, out, []string{

 		"80/tcp -> 0.0.0.0:9800",

+		"80/tcp -> [::]:9800",

 		"81/tcp -> 0.0.0.0:9801",

+		"81/tcp -> [::]:9801",

 		"82/tcp -> 0.0.0.0:9802",

+		"82/tcp -> [::]:9802",

 		"83/tcp -> 0.0.0.0:9803",

+		"83/tcp -> [::]:9803",

 	})

 	// Port list is not correct

 	assert.NilError(c, err)

@@ -305,7 +319,7 @@ func (s *DockerSuite) TestPortHostBinding(c *testing.T) {

 	out, _ = dockerCmd(c, "port", firstID, "80")

-	err := assertPortList(c, out, []string{"0.0.0.0:9876"})

+	err := assertPortList(c, out, []string{"0.0.0.0:9876", "[::]:9876"})

 	// Port list is not correct

 	assert.NilError(c, err)

@@ -47,7 +47,7 @@ github.com/grpc-ecosystem/go-grpc-middleware        3c51f7f332123e8be5a157c0802a

 # libnetwork

 # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly

-github.com/docker/libnetwork                        fa125a3512ee0f6187721c88582bf8c4378bd4d7 

+github.com/docker/libnetwork                        b3507428be5b458cb0e2b4086b13531fb0706e46

 github.com/docker/go-events                         e31b211e4f1cd09aa76fe4ac244571fab96ae47f

 github.com/armon/go-radix                           e39d623f12e8e41c7b5529e9a9dd67a1e2261f80

 github.com/armon/go-metrics                         eb0af217e5e9747e41dd5303755356b62d28e3ec

@@ -49,8 +49,16 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont

 			}

 			bs = append(bs, bIPv4)

 		}

+

 		// Allocate IPv6 Port mappings

-		if ok := n.validatePortBindingIPv6(&bIPv6, containerIPv6, defHostIP); ok {

+		// If the container has no IPv6 address, allow proxying host IPv6 traffic to it

+		// by setting up the binding with the IPv4 interface if the userland proxy is enabled

+		// This change was added to keep backward compatibility

+		containerIP := containerIPv6

+		if ulPxyEnabled && (containerIPv6 == nil) {

+			containerIP = containerIPv4

+		}

+		if ok := n.validatePortBindingIPv6(&bIPv6, containerIP, defHostIP); ok {

 			if err := n.allocatePort(&bIPv6, ulPxyEnabled); err != nil {

 				// On allocation failure, release previously allocated ports. On cleanup error, just log a warning message

 				if cuErr := n.releasePortsInternal(bs); cuErr != nil {

@@ -67,7 +75,7 @@ func (n *bridgeNetwork) allocatePortsInternal(bindings []types.PortBinding, cont

 // validatePortBindingIPv4 validates the port binding, populates the missing Host IP field and returns true

 // if this is a valid IPv4 binding, else returns false

 func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containerIPv4, defHostIP net.IP) bool {

-	//Return early if there is a valid Host IP, but its not a IPv6 address

+	//Return early if there is a valid Host IP, but its not a IPv4 address

 	if len(bnd.HostIP) > 0 && bnd.HostIP.To4() == nil {

 		return false

 	}

@@ -85,10 +93,10 @@ func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containe

 }

 // validatePortBindingIPv6 validates the port binding, populates the missing Host IP field and returns true

-// if this is a valid IP6v binding, else returns false

-func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIPv6, defHostIP net.IP) bool {

-	// Return early if there is no IPv6 container endpoint

-	if containerIPv6 == nil {

+// if this is a valid IPv6 binding, else returns false

+func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIP, defHostIP net.IP) bool {

+	// Return early if there is no container endpoint

+	if containerIP == nil {

 		return false

 	}

 	// Return early if there is a valid Host IP, which is a IPv4 address

@@ -108,9 +116,8 @@ func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containe

 			return false

 		}

 	}

-	bnd.IP = containerIPv6

+	bnd.IP = containerIP

 	return true

-

 }

 func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool) error {

@@ -132,7 +139,7 @@ func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool)

 	portmapper := n.portMapper

-	if bnd.IP.To4() == nil {

+	if bnd.HostIP.To4() == nil {

 		portmapper = n.portMapperV6

 	}

@@ -512,8 +512,14 @@ func filterOutput(start time.Time, output []byte, args ...string) []byte {

 // Raw calls 'iptables' system command, passing supplied arguments.

 func (iptable IPTable) Raw(args ...string) ([]byte, error) {

 	if firewalldRunning {

+		// select correct IP version for firewalld

+		ipv := Iptables

+		if iptable.Version == IPv6 {

+			ipv = IP6Tables

+		}

+

 		startTime := time.Now()

-		output, err := Passthrough(Iptables, args...)

+		output, err := Passthrough(ipv, args...)

 		if err == nil || !strings.Contains(err.Error(), "was not provided by any .service files") {

 			return filterOutput(startTime, output, args...), err

 		}