Hi list,
I am currently experimenting with podman with the ultimate goal to migrate
my small private server from docker to podman. So far so good, but
currently i am struggling with the nftables ruleset which i was managing
the firewall with. This setup was quite good for docker, and i hoped that
all i needed to do is to add the cni-podman0 interface to the list of
container interfaces and am good to go. Unfortunately this is not the case.
This is clearly an issue with nftables and podman's CNI, since i am able to
access any running containers when i completely flush the ruleset. However
i want to post this question here and not in any nftables related
communitys because maybe that's just my misunderstanding of the way how
podman handles networks. To clarify: I am speaking about rootful
containers, since that required me to do the least changes to my ansible
playbooks ;)
So, currently i have a running traefik container, port forwarding to port
80 and 443 on the host, traefik is connected to the default network.
This is an excerpt of my nftables ruleset:
#!/usr/sbin/nft -f
flush ruleset
define podman = cni-podman0
define wan = eth0
table inet firewall {
set tcp_accepted {
type inet_service; flags interval;
elements = {
80,443
}
}
set container_interfaces {
type ifname;
elements = {
docker0,dck-backend,cni-podman0
}
}
chain icoming {
...
#iifname @container_interfaces accept
iifname $podman accept
...
iif $wan tcp dport @tcp_accepted ct state new accept
}
chain forwarding {
type filter hook forward priority 0; policy drop;
# Forward all established and related traffic. Drop invalid traffic.
ct state established,related accept
ct state invalid drop
# Docker
#iifname @container_interfaces ct state new accept
iifname $podman ct state new accept
}
chain outgoing {
type filter hook output priority 0; policy drop;
ct state new,established,related accept
ct state invalid drop
}
}
table ip router {
chain prerouting {
type nat hook prerouting priority 0
}
chain postrouting {
type nat hook postrouting priority 100
oif $wan masquerade persistent
}
}
As you can see i tried to just add the cni-podman0 interface to the set of
container interfaces, since that worked fine when i created additional
docker networks. However this did not allow any incoming traffic to be
routed towards the containers, but traffic originating from the containers
could reach the internet without problems. Afterwards i tried to separate
the podman interface from that set of interfaces because ultimately i hope
to just need one single podman network, but this is also not working.
However, i am able to access the containers from the host itself, a curl
localhst:80 is returning a proper response.
As i said, this ruleset was very fine with docker containers, so maybe
there is something about podman networking internals i am not yet aware of?
Hopefully someone of you could kindly point me to the right direction.
Thank you very much.
Show replies by date