[systemd-devel] container networking and iptables
johannes.ernst at gmail.com
Fri Nov 20 20:36:16 PST 2015
Setting IPMasquerade on a systemd-managed interface (e.g. for running an nspawn container) automatically sets up a “masquerade" netfilter entry. If an iptables ruleset exists already, it adds to it. (I think)
But what if I want to change other my firewall rules (unrelated to the container) without breaking the container’s networking? How would I add the systemd-generate rule to be added back in?
Example (in Arch):
1. System boots
2. systemd starts iptables.service, which reads its rules from /etc/iptables/iptables.rules
3. I start a container with nspawn -n, so networkd adds the equivalent of
-A POSTROUTING -s 10.0.0.0/28 -j MASQUERADE
to the ruleset. (At least I think it does.) Everything works fine.
4. I change my firewall rules by editing /etc/iptables/iptables.rules
5. system restart iptables
and voila, my container’s network is broken.
It’d be nice if there were some kind of saying:
cat /etc/iptables/iptables.rules /run/systemd/iptables/rules | iptables-restore
Or is there some other way of accomplishing this?
More information about the systemd-devel