RFE: Use predictable names in standard iptables rules

[ensc]

atm (podman-4.5.0-1.fc38.x86_64), netavark calls rules with unpredictable names in standard iptables rules. E.g.

Chain POSTROUTING (policy ACCEPT)
...
NETAVARK-1D8721804F16F  all  --  10.88.0.0/16         anywhere

Please move these unpredictable names in an extra rule with a fixed id (e.g. NETAVARK-POSTROUTING).

E.g. iptables should look like

Chain POSTROUTING (policy ACCEPT)
NETAVARK-POSTROUTING  all  --  anywhere         anywhere

Chain NETAVARK-POSTROUTING
NETAVARK-1D8721804F16F  all  --  10.88.0.0/16         anywhere

I manage iptables myself which includes an

iptables -t nat -F POSTROUTING

operation on reload. To keep foreign systems (netavark, cni, docker) operational, I need a well known chain name which can be called from there.

[Luap99]

Sounds like you could just use podman network reload --all to restore rules.

Either way I have no problem with having an extra chain there. The only concern is that it should be backwards compatible but I guess that shouldn't be a problem here. Are you interested in contributing a PR with the change?

Also the name is predictable btw, I am pretty sure it uses a sha256 hash based on the network name.

[ensc]

Sounds like you could just use podman network reload --all to restore rules.

It is too slow (18 containers)

# time podman network reload --all
real    0m8,161s

vs.

# time systemctl reload firewall@ipv4
real    0m0,374s

Are you interested in contributing a PR with the change?

ok; but I can work on it not before next week