fix(network): match each gateway to its subnet for dual-stack

[mayur-tolexo]

A single --gateway gets applied to every --subnet, so creating a dual-stack network and passing both gateways fails — the IPv6 gateway ends up checked against the IPv4 subnet:

$ nerdctl network create --driver bridge --ipv6 \
    --subnet 172.20.0.0/16 --subnet fd00:dead:beef:1::/64 \
    --gateway 172.20.0.1 --gateway fd00:dead:beef:1::1 mynet-dual
FATA[0000] no matching subnet "172.20.0.0/16" for gateway "fd00:dead:beef:1::1"

This makes --gateway repeatable (--subnet already is) and matches each gateway to the subnet it belongs to, so the v4 gateway goes with the v4 subnet and the v6 one with the v6 subnet. A gateway that isn't inside any subnet still errors out.

Same command after the change:

$ nerdctl network create --driver bridge --ipv6 \
    --subnet 172.20.0.0/16 --subnet fd00:dead:beef:1::/64 \
    --gateway 172.20.0.1 --gateway fd00:dead:beef:1::1 mynet-dual
ab70041865f6e3a9bddf26b62c398179a24d4ded8d6b7907c904bbc051f7a341

$ nerdctl network inspect mynet-dual | jq ".[0].IPAM.Config"
[
  {
    "Subnet": "172.20.0.0/16",
    "Gateway": "172.20.0.1"
  },
  {
    "Subnet": "fd00:dead:beef:1::/64",
    "Gateway": "fd00:dead:beef:1::1"
  }
]

--ip-range has the same single-value-per-network limitation on dual-stack (Docker takes it per subnet too). I kept this PR to --gateway to stay focused on #4951; happy to do --ip-range the same way as a follow-up.

Closes #4951.

[mayur-tolexo]

Ran the integration test locally (containerd v1.7.24, linux/arm64). The new dual-stack subtest plus the existing network create cases pass:

$ go test ./cmd/nerdctl/network/ -run "^TestNetworkCreate$" -count=1 -v
=== RUN   TestNetworkCreate
=== RUN   TestNetworkCreate/vanilla
=== RUN   TestNetworkCreate/with_MTU
=== RUN   TestNetworkCreate/with_ipv6
=== RUN   TestNetworkCreate/dual-stack_with_explicit_gateways
=== RUN   TestNetworkCreate/internal_enabled
--- PASS: TestNetworkCreate (0.00s)
PASS
ok  	github.com/containerd/nerdctl/v2/cmd/nerdctl/network	1.139s

[mayur-tolexo]

Checked this against Docker (29.4.0) to make sure the dual-stack behaviour lines up.

Docker:

$ docker network create --driver bridge --ipv6 \
    --subnet 10.83.0.0/16 --subnet fd00:cafe:1234::/64 \
    --gateway 10.83.0.1 --gateway fd00:cafe:1234::1 dt2
6d450fe9fbe6...
$ docker network inspect dt2 --format "{{json .IPAM.Config}}" | jq
[
  { "Subnet": "10.83.0.0/16", "Gateway": "10.83.0.1" },
  { "Subnet": "fd00:cafe:1234::/64", "Gateway": "fd00:cafe:1234::1" }
]

nerdctl with the same flags now gives the same result:

$ nerdctl network create --driver bridge --ipv6 \
    --subnet 10.83.0.0/16 --subnet fd00:cafe:1234::/64 \
    --gateway 10.83.0.1 --gateway fd00:cafe:1234::1 dt2
$ nerdctl network inspect dt2 --format "{{json .IPAM.Config}}" | jq
[
  { "Subnet": "10.83.0.0/16", "Gateway": "10.83.0.1" },
  { "Subnet": "fd00:cafe:1234::/64", "Gateway": "fd00:cafe:1234::1" }
]

One thing worth noting: Docker matches each gateway to whichever subnet contains it, not by position. Passing the gateways in reverse order still pairs them correctly, and this PR does the same (it is subnet.Contains(gw), not index based):

# both docker and nerdctl, gateways given v6-first
... --subnet 10.84.0.0/16 --subnet fd00:cafe:5678::/64 \
    --gateway fd00:cafe:5678::1 --gateway 10.84.0.1
-> 10.84.0.0/16          : 10.84.0.1
   fd00:cafe:5678::/64   : fd00:cafe:5678::1

And a gateway that is not inside any subnet errors the same way on both:

docker:  no matching subnet for gateway 192.168.1.1
nerdctl: no matching subnet for gateway "192.168.1.1"

[AkihiroSuda]

Is this compatible with Docker?
If yes, the description should correspond to it.

[mayur-tolexo]

Yes, it matches Docker. docker network create --gateway is repeatable and pairs each gateway with the subnet that contains it (verified on Docker 29.4.0, including reverse order and the no-matching-subnet error). I updated the flag help and the docs to Docker's wording, "IPv4 or IPv6 Gateway for the master subnet".

[sathiraumesh]

you can use the Tigron frameworks exit code constants

[mayur-tolexo]

Done, using expect.ExitCodeSuccess now.

[sathiraumesh]

you could refactor the code like this for more readability

if gw := net.ParseIP(g); gw != nil && subnet.Contains(gw) {
    gateway, used[j] = g, true
				break
} else {
   return nil, findIPv4, fmt.Errorf("failed to parse gateway 
}

[mayur-tolexo]

Pulled the parse out of the loop into a single up-front pass for readability. Kept it separate from the Contains check on purpose though: a valid gateway that is not in this subnet still belongs to another subnet on a dual-stack net, so an else error there would reject correct input.

[sathiraumesh]

why do we do this check here can't we kind of refactor this logic to the above group somehow i feel like this part is not kind of needed

[mayur-tolexo]

This one has to stay outside the loop, a gateway only counts as "no matching subnet" once every subnet has been checked. Docker errors the same way, so I kept it and tightened the comment.

[sathiraumesh]

is this used somewhere ?

[mayur-tolexo]

Yep, just below at parseIPAMRange(subnet, gatewayStr, ipRangeStr). Windows is single-subnet so it takes at most the first gateway.