From kjonca at op.pl Wed Apr  5 06:34:30 2023
Content-Type: multipart/mixed; boundary="===============6478520754808076055=="
MIME-Version: 1.0
From: =?utf-8?q?Kamil_Jo=C5=84ca_=3Ckjonca_at_op=2Epl=3E?=
To: podman at lists.podman.io
Subject: [Podman] Some questions about networking
Date: Wed, 05 Apr 2023 08:32:58 +0200
Message-ID: <87sfdeu9d1.fsf@alfa.kjonca>

--===============6478520754808076055==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable


I recently started play with podman and non-root contaiers and I think I
missed something about networking.

Assume we have such network on host:

--8<---------------cut here---------------start------------->8---
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group d=
efault qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host =

       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group=
 default qlen 1000
    link/ether b4:2e:99:f0:ae:57 brd ff:ff:ff:ff:ff:ff
    inet 192.168.200.200/24 brd 192.168.200.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd1b:69d9:9e1d:0:b62e:99ff:fef0:ae57/64 scope global dynamic mngt=
mpaddr =

       valid_lft forever preferred_lft forever
    inet6 fe80::b62e:99ff:fef0:ae57/64 scope link =

       valid_lft forever preferred_lft forever
23: cni-podman0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue=
 state DOWN group default qlen 1000
    link/ether ce:89:80:01:c8:e6 brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0
       valid_lft forever preferred_lft forever
    inet6 fe80::1c6d:52ff:fedb:9d9a/64 scope link =

       valid_lft forever preferred_lft forever
--8<---------------cut here---------------end--------------->8---

There is not NAT/MASQUERADE rules in nftables.
$podman network inspect podman =

[
     {
          "name": "podman",
          "id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b=
7a1bb9",
          "driver": "bridge",
          "network_interface": "podman0",
          "created": "2023-03-29T19:50:55.753738104+02:00",
          "subnets": [
               {
                    "subnet": "10.88.0.0/16",
                    "gateway": "10.88.0.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": false,
          "ipam_options": {
               "driver": "host-local"
          }
     }
]


I run container with command:
$podman run -ti --log-level debug --network podman --name test test

then in container:
--8<---------------cut here---------------start------------->8---
root(a)ddc54c227a9d:/# curl onet.pl
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
--8<---------------cut here---------------end--------------->8---

Why container has access outside host?
I would expect that I will have some rules to allow traffic between
podman0 and eth0?
Is it possible to configure this behavior?
Where can I found description for values in "podman network inspect"?
What is difference (in this case) between macvlan and bridge (except
root/non-root)?

KJ



-- =

http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
--===============6478520754808076055==--