[Podman] Re: Firewalling services provided by containers

Hello. I have tried Podman in Fedora 31. Not a rootless setup. Software versions: podman-1.6.2-2.fc31.x86_64 containernetworking-plugins-0.8.2-2.1.dev.git485be65.fc31.x86_64 IP and netmask of the Fedora machine in my network: 192.168.5.130/24. Podman creates, on the start of the first container, its default cni-podman0 bridge with IP and netmask 10.88.0.1/16. I wanted to play through a situation when we are migrating from a service (let's say, 9999/tcp) formerly provided by some software installed directly on the host to the same service provided by the same software, but in a podman container. And this software needs to be firewalled: there is a whitelist of IP addresses (let's say 192.158.5.30 and 192.168.5.44) that have the privilege to talk to 192.168.5.130:9999. With the old, non-containerized setup, implementing this kind of whitelist is trivial. Add a new firewalld zone, add thenecessary ports and whitelisted client IPs to it, set the target to REJECT or DROP, done. However, once I switch to a containerized service, the firewall becomes ineffective, because the packets hit the FORWARD chain, not INPUT. I could not find a good solution that works in terms of the exposed port (i.e. 9999, even if inside the container a different port is used). I could either add iptables rules (yuck... firewalld exists for a reason) to "raw" or "mangle" tables (but then I cannot reject), or do something in the "filter" table with "-p tcp -m tcp -m conntrack --ctorigdstport 9999" (that's better). I think that firewald could see some improvement here. In order to apply a whitelist of hosts that can connect, I should not need to care whether the service is provided by something running on the host, or by a container. OK, another crazy idea: is it possible to use slirp4netns instead of the default bridge for root-owned containers, just to avoid these INPUT-vs-FORWARD firewall troubles? -- Alexander E. Patrakov