Closed barzog closed 3 years ago
Yup. My bad. Working on fix already.
Also I must mention that on container stop rules from nat table output chain is NOT deleted. table ip nat { # handle 19 chain output { # handle 3 type nat hook output priority -100; policy accept; jump cni-npr-d5e70868487c6db0d91d248 # handle 7 } chain cni-npr-d5e70868487c6db0d91d248 { # handle 5 iifname != "cni0" tcp dport 8888 dnat to 10.88.0.7:8888 # handle 8 iifname != "cni0" tcp dport 8889 dnat to 10.88.0.7:8889 # handle 9 }
So, this one remains. Rules from filter-forward and nat-postrouting is deleted.
I have following setup: 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 3c:7c:3f:14:49:65 brd ff:ff:ff:ff:ff:ff 3: macvlan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 76:ba:1c:ce:93:6f brd ff:ff:ff:ff:ff:ff inet 192.168.2.10/24 brd 192.168.2.255 scope global noprefixroute macvlan0 valid_lft forever preferred_lft forever 4: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 46:d5:4b:4b:16:23 brd ff:ff:ff:ff:ff:ff inet 10.88.0.1/16 brd 10.88.255.255 scope global cni0 valid_lft forever preferred_lft forever
eth0 is a master of macvlan0@eth0 interface cni0 is podman CNI bridge interface.
I have simple container with two mappings: 382b2967e22c linuxserver/oscam 6 minutes ago Up 6 minutes ago 0.0.0.0:8888-8889->8888-8889/tcp oscam
the problem is when I do smth like telnet google.com 8888 from host-OS it gets nated to container. So, if I publish 443 port, this nft dnat all https to container. table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; jump cni-npo-e473f99609250c52ac6769b jump cni-npo-5e8c57a9412955846493f75 }
}
I suspect that this is caused by cni-npr-e473f99609250c52ac6769b which should not catch ougoing host packets.