pasta port forwarding on IPv6 system

[raylu]

I have a debian system with IPv4 and IPv6 connectivity running podman 5.6.1 and passt_0.0~git20250919.623dbf6-1_arm64

$ podman network inspect podman
          "ipv6_enabled": false,

if I run an apache container and bind it to the IPv4 localhost, I can hit it

$ podman run --rm -p 127.0.0.1:8080:80/tcp docker.io/library/httpd
$ curl localhost:8080 # this works

I can exec in and see that it bound a tcp6 socket

root@cbf500dfaa87:/usr/local/apache2# netstat -tnlp
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::80                   :::*                    LISTEN      1/httpd

and outside, I have pasta

$ netstat -tnlp
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      129904/pasta

---

I'm running a docspell container

$ podman run --rm -v ./docspell.conf:/opt/docspell.conf -p 127.0.0.1:7880:7880 docspell/restserver /opt/docspell.conf

and I've configured https://docspell.org/docs/configure/bind/ in docspell.conf

docspell.server {
    bind.address = "0.0.0.0"
}

it binds to an IPv4 socket (proto isn't tcp6) but it sure looks like an IPv6 address to me

$ podman exec -it docspell-rest bash
f33e3a247df1:/opt# netstat -tnlp
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 :::7880                 :::*                    LISTEN      1/java
f33e3a247df1:/opt# curl localhost:7880 # this works
d0406f8f8be5:/opt# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether be:c9:7c:1d:fb:b5 brd ff:ff:ff:ff:ff:ff
    inet 10.0.205.154/16 brd 10.0.255.255 scope global enp0s6
       valid_lft forever preferred_lft forever
    inet6 fe80::bcc9:7cff:fe1d:fbb5/64 scope link
       valid_lft forever preferred_lft forever

however, pasta hangs if I try to curl it outside the container

if I change the invocation to 7880:7880, then everything works, but now I'm exposing this port to the internet

---

if I tell pasta I want ipv4-only,

$ podman run --rm -v ./docspell.conf:/opt/docspell.conf --network pasta:--ipv4-only -p 127.0.0.1:7880:7880 docspell/restserver /opt/docspell.conf

I still get some inet6 addresses (I have lost IPv6 connectivity) and the bind looks the same

$ podman exec -it docspell-rest bash
386b485a63d4:/opt# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether 9e:46:54:3a:4a:6c brd ff:ff:ff:ff:ff:ff
    inet 10.0.205.154/16 brd 10.0.255.255 scope global enp0s6
       valid_lft forever preferred_lft forever
    inet6 fe80::9c46:54ff:fe3a:4a6c/64 scope link
       valid_lft forever preferred_lft forever
386b485a63d4:/opt# netstat -tnlp
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 :::7880                 :::*                    LISTEN      1/java

and I'm still not able to hit it outside the container

---

one really odd thing is that telling pasta to bind to IPv6 on the host works for some reason?

$ podman run --rm -v ./docspell.conf:/opt/docspell.conf --network pasta:--ipv4-only -p '[::]:7880:7880' docspell/restserver /opt/docspell.conf

nothing changes inside the container but now I'm able to hit it from outside

$ netstat -tnlp
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::7880                 :::*                    LISTEN      131325/pasta
$ curl localhost:7880 # this works now

---

I also tried telling docspell to bind to only podman's IPv4 address

docspell.server {
    bind.address = "10.0.205.154"
}

this is... pretty weird?

$ podman exec -it docspell-rest bash
351dc1d57e7b:/opt# netstat -tnlp
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 ::ffff:10.0.205.154:7880 :::*                    LISTEN      1/java

really no idea what's going on there. doesn't work, though

---

the wrinkle here is that I'm running wireguard on this server and I'd like to hit docspell over wireguard. that's an IPv4-only interface, so I want

$ podman run --rm -v ./docspell.conf:/opt/docspell.conf --network pasta:--ipv4-only -p 172.27.1.4:7880:7880 docspell/restserver /opt/docspell.conf