I am currently experimenting with podman with the ultimate goal to migrate my small private server from docker to podman. So far so good, but currently i am struggling with the nftables ruleset which i was managing the firewall with. This setup was quite good for docker, and i hoped that all i needed to do is to add the cni-podman0 interface to the list of container interfaces and am good to go. Unfortunately this is not the case.
This is clearly an issue with nftables and podman's CNI, since i am able to access any running containers when i completely flush the ruleset. However i want to post this question here and not in any nftables related communitys because maybe that's just my misunderstanding of the way how podman handles networks. To clarify: I am speaking about rootful containers, since that required me to do the least changes to my ansible playbooks ;)
So, currently i have a running traefik container, port forwarding to port 80 and 443 on the host, traefik is connected to the default network.
This is an excerpt of my nftables ruleset:
#!/usr/sbin/nft -f
flush ruleset
define podman = cni-podman0
define wan = eth0
table inet firewall {
set tcp_accepted {
type inet_service; flags interval;
elements = {
80,443
}
}
set container_interfaces {
type ifname;
elements = {
docker0,dck-backend,cni-podman0
}
}
chain icoming {
...
#iifname @container_interfaces accept
iifname $podman accept
...
iif $wan tcp dport @tcp_accepted ct state new accept
}
chain forwarding {
type filter hook forward priority 0; policy drop;
# Forward all established and related traffic. Drop invalid traffic.
ct state established,related accept
ct state invalid drop
# Docker
#iifname @container_interfaces ct state new accept
iifname $podman ct state new accept
}
chain outgoing {
type filter hook output priority 0; policy drop;
ct state new,established,related accept
ct state invalid drop
}
}
table ip router {
chain prerouting {
type nat hook prerouting priority 0
}
chain postrouting {
type nat hook postrouting priority 100
oif $wan masquerade persistent
}
}
As you can see i tried to just add the cni-podman0 interface to the set of container interfaces, since that worked fine when i created additional docker networks. However this did not allow any incoming traffic to be routed towards the containers, but traffic originating from the containers could reach the internet without problems. Afterwards i tried to separate the podman interface from that set of interfaces because ultimately i hope to just need one single podman network, but this is also not working. However, i am able to access the containers from the host itself, a curl localhst:80 is returning a proper response.
As i said, this ruleset was very fine with docker containers, so maybe there is something about podman networking internals i am not yet aware of? Hopefully someone of you could kindly point me to the right direction. Thank you very much.