[systemd-devel] container networking and iptables

Johannes Ernst johannes.ernst at gmail.com
Fri Nov 20 20:36:16 PST 2015


Setting IPMasquerade on a systemd-managed interface (e.g. for running an nspawn container) automatically sets up a “masquerade" netfilter entry. If an iptables ruleset exists already, it adds to it. (I think)

But what if I want to change other my firewall rules (unrelated to the container) without breaking the container’s networking? How would I add the systemd-generate rule to be added back in?

Example (in Arch):

1. System boots
2. systemd starts iptables.service, which reads its rules from /etc/iptables/iptables.rules
3. I start a container with nspawn -n, so networkd adds the equivalent of
    -A POSTROUTING -s 10.0.0.0/28 -j MASQUERADE
to the ruleset. (At least I think it does.) Everything works fine.

4. I change my firewall rules by editing /etc/iptables/iptables.rules
5. system restart iptables

and voila, my container’s network is broken.

It’d be nice if there were some kind of saying:
    cat /etc/iptables/iptables.rules /run/systemd/iptables/rules | iptables-restore
in iptables.service.

Or is there some other way of accomplishing this?

Thanks,



Johannes.



More information about the systemd-devel mailing list