fix: allow binding containers on different IPs to the same port

[yankay]

Summary

Fixes #4786

The port conflict check introduced in PR #4097 (commit 04f836d) incorrectly reports "port is already allocated" when binding containers to different host IPs but the same port number. For example:

services:
  nginx-primary:
    ports:
      - "192.168.1.141:80:80"
      - "192.168.1.142:80:80"
  nginx-sec:
    ports:
      - "192.168.1.143:80:80"   # fails: port is already allocated

Root cause

1. ReadIPTables only read the CNI-HOSTPORT-DNAT parent chain, which dispatches by port but does not include -d <ip> destination IP filtering. The actual IP filtering is in CNI-DN-* sub-chains.
2. ParseIPTableRules only extracted port numbers from --dports and completely ignored destination IPs.

This made every iptables-managed port appear globally allocated regardless of which host IP it was bound to.

Fix

• ReadIPTables: Read CNI-DN-* sub-chains (which contain DNAT rules with both -d <ip> and --dport), falling back to the parent chain if no sub-chains exist.
• ParseIPTableRules: Return PortRule{IP, Port} instead of just port numbers. Parse both --dport (sub-chains) and --dports (parent chain), and extract -d <ip> destination.
• getUsedPorts: Filter iptables ports by IP overlap — wildcard addresses ("", 0.0.0.0, ::) conflict with everything; specific IPs only conflict with the same IP or wildcards.

Test plan

• Unit tests pass (go test ./pkg/portutil/...)
• Manual test: three containers on 127.0.0.1/127.0.0.2/127.0.0.3:8880 all start successfully
• Manual test: duplicate IP+port correctly rejected
• Manual test: 0.0.0.0 wildcard correctly conflicts with existing bindings
• Manual test: all containers accessible via curl (HTTP 200)

[Copilot]

Pull request overview

This PR fixes a regression in nerdctl’s Linux port-conflict detection so containers can bind the same host port on different host IPs without being incorrectly rejected as “already allocated” when CNI portmap iptables rules are present.

Changes:

• Read CNI portmap per-container DNAT sub-chains (CNI-DN-*) from iptables to capture destination-IP-specific bindings (with fallback to the parent chain when sub-chains don’t exist).
• Extend iptables rule parsing to return {IP, Port} pairs (supporting both --dports and --dport, and extracting -d <ip>).
• Update used-port filtering to only treat a port as conflicting when IPs overlap (wildcards conflict with everything; specific IPs only with same IP or wildcard).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
pkg/portutil/port_allocate_linux.go	Filters iptables-derived used ports by requested IP vs rule IP (wildcard-aware).
pkg/portutil/iptable/iptables.go	Changes parser output from ports-only to {IP, Port} and parses -d + --dport/--dports.
pkg/portutil/iptable/iptables_test.go	Updates unit tests for the new {IP, Port} parsing behavior and adds sub-chain cases.
pkg/portutil/iptable/iptables_linux.go	Reads CNI-DN-* sub-chains (and falls back to CNI-HOSTPORT-DNAT when absent).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.