Fix Docker issue that could cause slow system startup

[sairon]

A bug introduced in Docker v28.2+ can cause slow container restart in some cases because of usage of IPv4 mapped IPv6 addresses in iptables command. Backport a simple patch from upstream to fix it before we bump to a newer Docker version.

Fixes #4363

Summary by CodeRabbit

• Bug Fixes
  • Fixed IPv4 address handling in Docker bridge networking to ensure proper firewall rule generation.

[coderabbitai]

📝 Walkthrough

Walkthrough

This patch modifies Docker's libnetwork bridge driver to unmap IPv4 addresses when retrieved from storage, ensuring IPv4-mapped IPv6 addresses are not propagated to iptables rules, addressing iptables-related contention during network initialization.

Changes

Cohort / File(s)	Summary
Docker libnetwork bridge driver patch buildroot-external/patches/docker-engine/0001-Unmap-IPv4-addresses-loaded-from-store.patch	Adds Unmap() call on IPv4 addresses in netipAddrs function within libnetwork/drivers/bridge/bridge_linux.go to prevent IPv4-mapped IPv6 addresses from being used in iptables rules

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Single isolated change in an existing code path
• Straightforward API call (Unmap()) with clear intent
• Minimal scope: one patch file affecting one function

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The PR title "Fix Docker issue that could cause slow system startup" is directly related to the changeset. The patch addresses a Docker bug (introduced in v28.2+) that causes slow container restarts by implementing an upstream fix to unmap IPv4-mapped IPv6 addresses in iptables commands. The title accurately reflects the main objective of the PR—fixing a Docker-related performance issue—though it describes the symptom rather than the technical implementation detail (IPv4 unmapping). For a developer scanning history, the title clearly communicates that this PR fixes a Docker-related slowness issue, which is sufficient context for understanding the primary change.
Linked Issues Check	✅ Passed	The PR directly addresses the root cause identified in linked issue #4363. The patch modifies the Docker bridge driver to unmap IPv4 addresses from netip.Addr conversions, preventing IPv4-mapped IPv6 addresses from being used in iptables commands. This precisely targets the "xtables contention detected" warnings and Docker startup hangs documented in issue #4363, which occur when Ethernet is connected at boot. The minimal, focused change (a single Unmap() call in an existing code path) aligns perfectly with the upstream fix being backported to resolve the performance degradation.
Out of Scope Changes Check	✅ Passed	The changeset is limited to a single patch file that modifies the Docker bridge driver's handling of IPv4 addresses, which is entirely in scope with the linked issue #4363. The change unmaps IPv4 addresses to prevent their use as IPv4-mapped IPv6 addresses in iptables rules, directly addressing the root cause of the system stall. No additional, unrelated modifications are present in this PR; the patch is focused and minimal with no scope creep detected.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-docker-ipv4-unmap-issue

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between af87ada and e9649c3.

📒 Files selected for processing (1)

• buildroot-external/patches/docker-engine/0001-Unmap-IPv4-addresses-loaded-from-store.patch (1 hunks)

🔇 Additional comments (2)

buildroot-external/patches/docker-engine/0001-Unmap-IPv4-addresses-loaded-from-store.patch (2)

1-21: Patch metadata looks good.

The patch header is well-structured with proper Git format, clear author attribution, and documented chain of custody from upstream Docker. The description accurately explains the fix for IPv4-mapped IPv6 addresses in iptables rules.

---

22-33: Targeted fix correctly addresses the root cause.

The addition of v4.Unmap() at line 30 directly solves the IPv4-mapped IPv6 address issue in iptables rules. This minimal change ensures IPv4 addresses loaded from Docker's store are properly unmapped before being used in network rules, preventing the "xtables contention detected" warnings and system startup delays described in issue #4363.

The v6 address path (line 33) intentionally does not include an Unmap() call, which is correct since the issue specifically affects IPv4-mapped IPv6 addresses, not pure IPv6 addresses.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}