diff --git a/src/nspawn/nspawn-expose-ports.c b/src/nspawn/nspawn-expose-ports.c
index c368b205635..3bce3241021 100644
--- a/src/nspawn/nspawn-expose-ports.c
+++ b/src/nspawn/nspawn-expose-ports.c
@@ -2,6 +2,7 @@
 
 #include "sd-netlink.h"
 
+#include "af-list.h"
 #include "alloc-util.h"
 #include "fd-util.h"
 #include "firewall-util.h"
@@ -82,9 +83,9 @@ void expose_port_free_all(ExposePort *p) {
         }
 }
 
-int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, union in_addr_union *exposed) {
+int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed) {
         ExposePort *p;
-        int r, af = AF_INET;
+        int r;
 
         assert(exposed);
 
@@ -106,19 +107,19 @@ int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, union in_addr_uni
                                       p->container_port,
                                       NULL);
                 if (r < 0)
-                        log_warning_errno(r, "Failed to modify firewall: %m");
+                        log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
         }
 
         *exposed = IN_ADDR_NULL;
         return 0;
 }
 
-int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, union in_addr_union *exposed) {
+int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed) {
         _cleanup_free_ struct local_address *addresses = NULL;
         union in_addr_union new_exposed;
         ExposePort *p;
         bool add;
-        int af = AF_INET, r;
+        int r;
 
         assert(exposed);
 
@@ -137,7 +138,7 @@ int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *
                 addresses[0].scope < RT_SCOPE_LINK;
 
         if (!add)
-                return expose_port_flush(fw_ctx, l, exposed);
+                return expose_port_flush(fw_ctx, l, af, exposed);
 
         new_exposed = addresses[0].address;
         if (in_addr_equal(af, exposed, &new_exposed))
@@ -160,7 +161,7 @@ int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *
                                       p->container_port,
                                       in_addr_is_null(af, exposed) ? NULL : exposed);
                 if (r < 0)
-                        log_warning_errno(r, "Failed to modify firewall: %m");
+                        log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
         }
 
         *exposed = new_exposed;
diff --git a/src/nspawn/nspawn-expose-ports.h b/src/nspawn/nspawn-expose-ports.h
index 8cfabd97971..27cfccf0152 100644
--- a/src/nspawn/nspawn-expose-ports.h
+++ b/src/nspawn/nspawn-expose-ports.h
@@ -23,5 +23,5 @@ int expose_port_parse(ExposePort **l, const char *s);
 int expose_port_watch_rtnl(sd_event *event, int recv_fd, sd_netlink_message_handler_t handler, void *userdata, sd_netlink **ret);
 int expose_port_send_rtnl(int send_fd);
 
-int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, union in_addr_union *exposed);
-int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, union in_addr_union *exposed);
+int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed);
+int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed);
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 75cefe84142..3373a8b3729 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2471,7 +2471,8 @@ static int setup_kmsg(int kmsg_socket) {
 }
 
 struct ExposeArgs {
-        union in_addr_union address;
+        union in_addr_union address4;
+        union in_addr_union address6;
         struct FirewallContext *fw_ctx;
 };
 
@@ -2482,7 +2483,8 @@ static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *user
         assert(m);
         assert(args);
 
-        expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, &args->address);
+        expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET, &args->address4);
+        expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET6, &args->address6);
         return 0;
 }
 
@@ -4900,7 +4902,8 @@ static int run_container(
                 if (r < 0)
                         return r;
 
-                (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, &expose_args->address);
+                (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
+                (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
         }
 
         rtnl_socket_pair[0] = safe_close(rtnl_socket_pair[0]);
@@ -5027,7 +5030,8 @@ static int run_container(
                 return 0; /* finito */
         }
 
-        expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, &expose_args->address);
+        expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
+        expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
 
         (void) remove_veth_links(veth_name, arg_network_veth_extra);
         *veth_created = false;
@@ -5582,7 +5586,8 @@ finish:
                 (void) rm_rf(p, REMOVE_ROOT);
         }
 
-        expose_port_flush(&fw_ctx, arg_expose_ports, &expose_args.address);
+        expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET,  &expose_args.address4);
+        expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET6, &expose_args.address6);
 
         if (veth_created)
                 (void) remove_veth_links(veth_name, arg_network_veth_extra);