netavark icon indicating copy to clipboard operation
netavark copied to clipboard
verified publisher icon containers

Add outbound_addr to allow for SNAT instead of MASQ

Open lto-dev opened this issue 11 months ago • 3 comments

Added outbound_addr to the bridge driver.

I created a bridge-snat plugin to use this feature and do SNAT instead of MASQUERADE on certain networks since i have multiple public ip's on same machine and i needed the traffic to go out on them and not on the gateway. I can share the plugin as well if anyone wants it.

lto-dev avatar Feb 15 '25 05:02 lto-dev

let me know if the modifications are ok

lto-dev avatar Feb 17 '25 22:02 lto-dev

Note I do not have time to properly review the rules right now. However please make sure your commits make sense as individual unit. Currently they are pretty meaningless so I suggest you squash everything into one

Luap99 avatar Feb 25 '25 18:02 Luap99

Ephemeral COPR build failed. @containers/packit-build please check.

packit-as-a-service[bot] avatar Apr 28 '25 15:04 packit-as-a-service[bot]

For firewalld, this would force all of our NAT to be through rich rules, as the standard port-forwarding rules don't allow for this. Would be a pretty significant change if we wanted to make it.

mheon avatar Jul 22 '25 15:07 mheon

For firewalld, this would force all of our NAT to be through rich rules, as the standard port-forwarding rules don't allow for this. Would be a pretty significant change if we wanted to make it.

I guess we should throw an error if firewalld is used with this option. Given the likely low usage of firewalld users I don't think we need to implement this right now for this PR then.

Luap99 avatar Jul 22 '25 16:07 Luap99

Should we not have two options then one for ipv4_outbound address and one for ipv6_outbound address instead then?

I was trying to mimic some of the docker behavior, i use ipv4. I'll have to take a look into ipv6 snat for this if you decide you want it. When i started the pr i was reading ipv6 nat is discouraged so i didn't approach it.

it looks like their bridge supports ipv6...or not, documentation is kinda conflicting com.docker.network.bridge.host_binding_ipv4 | all IPv4 and IPv6 addresses | Default IP when binding container ports.

let me know if you want it and what names to use for it

lto-dev avatar Jul 23 '25 16:07 lto-dev

I think for consistency it makes sense to have it assuming kernel wise is basically the same rule with ipv6? If it turns out to be more complicated then I am fine with leaving it.

Naming wise I think outbound_addr4 and outbound_addr6 maybe?

Luap99 avatar Jul 24 '25 16:07 Luap99

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lto-dev, Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Aug 06 '25 14:08 openshift-ci[bot]

/lgtm

baude avatar Nov 17 '25 17:11 baude

LGTN

baude avatar Nov 17 '25 17:11 baude