-
Hi, The above image shows a wireshark capture from my client device (192.168.1.20) connecting to the podman host (192.168.1.10) on port 5000 which is published by a container running with two podman networks, a MACVLAN and a bridge network. The IP 10.95.0.26 is the IP address the container has on the bridge network. The outgoing packets from the container are not properly masqueraded to the host IP address and my client will reject them. All of this is with rootful containers. My questionWhat is the expected behaviour? What I expect to happen: Should this be filed as a bug, in what repository in that case? Detailed setup and reproductionI have a client device on a local network together with the podman host:
On this network a DHCP server hands out IP addresses. The subnet is 192.168.1.0/24. The MACVLAN network's parent interface is connected to the local network. Defined by the file:
The bridge network in defined by this file:
Run a container with both networks and a port publish (I've used On the client device attempt to connect to the podman host on the published port: Observe the behaviour I mentioned above. Incoming connections to 192.168.1.10:5000 will have responses sent with a source IP address in 10.95.0.0/16. If I omit Podman host details
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
This is not an issue with podman, it's a routing issue. The routing table in the container with the above setup will look something like:
Since the bridge network uses DNAT the incoming packets still has source address 192.168.1.20. Response packets will then be routed via There are some solutions using connection marking and alternative routing tables that I'm going give a shot, described here: |
Beta Was this translation helpful? Give feedback.
This is not an issue with podman, it's a routing issue.
The routing table in the container with the above setup will look something like:
Since the bridge network uses DNAT the incoming packets still has source address 192.168.1.20. Response packets will then be routed via
eth0
in this case, regardless of which interface they came from. I wrongly assumed that response packets would be sent back on the same interface they came from.There are some soluti…