PF No packet redirection through localhost to podman container

override

override

Hi,
I have been searching for a while for solution of my problem but found none.

I start by provading my /etc/pf.conf:
Code: 
ext_if = "lagg0"
int_if = "vm0"
localnet = $int_if:network

table <cni-nat> persist

scrub in all fragment reassemble no-df max-mss 1440

nat on $ext_if inet from { self, $localnet } to any -> ($ext_if) static-port
nat on $ext_if inet from <cni-nat> to any -> ($ext_if) static-port

nat-anchor "vpn/*"
nat-anchor "cni-rdr/*"

rdr-anchor "vpn/*"
rdr-anchor "cni-rdr/*"

block all

pass proto icmp

anchor "vpn/*"
anchor "cni-rdr/*"

pass in on $ext_if proto tcp from $ext_if:network to any port 2049 flags S/SA keep state
pass in on $ext_if proto { tcp, udp } from $ext_if:network to any port 7745

pass from { self, $localnet } to any keep state
pass from <cni-nat> to any keep state

/etc/sysctl.conf contains net.pf.filter_local=1.

After system restart, host have access to network resources but can't connect to application in container through localhost.
After restarting pf service I can access application in container using localhost but any other connection
is blocked by firewall (checked by block log all).
Loading configuration by pfctl -vf /etc/pf.conf change nothing in either of cases.

I had also tested example configuration with the same results.

P.S. Commands I have been using for connection testing
podman run --rm --name freebsd -p 8080:8080 -it ghcr.io/freebsd/freebsd-toolchain:15.0 nc -l 8080
for container and nc localhost 8080 for client
 
you're not doing any NAT on the loopback interface. all of the on statements specify non-loopback interfaces, so none of your rules will fire.
 
Hi Mate

I have been doing some work on Podman

Podman Freebsd install


Podman notes

github.com

cerberus/freebsd/podman-freebsd.org at master · NapoleonWils0n/cerberus

cerberus code library. Contribute to NapoleonWils0n/cerberus development by creating an account on GitHub.
github.com github.com

Root dotfiles

github.com

GitHub - NapoleonWils0n/freebsd-root-xps: freebsd root dotfiles for dell xps 15 2019

freebsd root dotfiles for dell xps 15 2019. Contribute to NapoleonWils0n/freebsd-root-xps development by creating an account on GitHub.
github.com github.com
 
  • Like
Reactions: vmb
atax1a said:
you're not doing any NAT on the loopback interface. all of the on statements specify non-loopback interfaces, so none of your rules will fire.
Click to expand...
In line with the instructions, if I understand correctly,
Code: 
nat-anchor "cni-rdr/*"
rdr-anchor "cni-rdr/*"
is responsible for network translation of connections between localhost and container.

NapoleonWils0n said:
Hi Mate

I have been doing some work on Podman

Podman Freebsd install


Podman notes

github.com

cerberus/freebsd/podman-freebsd.org at master · NapoleonWils0n/cerberus

cerberus code library. Contribute to NapoleonWils0n/cerberus development by creating an account on GitHub.
github.com github.com

Root dotfiles

github.com

GitHub - NapoleonWils0n/freebsd-root-xps: freebsd root dotfiles for dell xps 15 2019

freebsd root dotfiles for dell xps 15 2019. Contribute to NapoleonWils0n/freebsd-root-xps development by creating an account on GitHub.
github.com github.com
Click to expand...
Thank you for notes.
I have checked pf configuration you provided and couldn't find significant difference
 
I have checked rules added during start of container:

Code: 
# pfctl -s Anchors
  cni-rdr
  cni-rdr/4468047a7485d6e9181ea17ae477767f
# pfctl -a 'cni-rdr/4468047a7485d6e9181ea17ae477767f' -s nat
nat on cni-podman0 inet proto tcp from (lo0) to 10.88.0.3 port = http-alt -> (cni-podman0) round-robin
rdr pass inet proto tcp from any to 127.0.0.1 port = http-alt -> 10.88.0.3 port 8080
rdr pass inet proto tcp from any to 192.168.24.1 port = http-alt -> 10.88.0.3 port 8080
rdr pass inet proto tcp from any to 192.168.8.47 port = http-alt -> 10.88.0.3 port 8080
rdr pass inet proto tcp from any to 172.23.0.2 port = http-alt -> 10.88.0.3 port 8080
rdr pass inet proto tcp from any to 10.88.0.1 port = http-alt -> 10.88.0.3 port 8080

pfctl -a 'cni-rdr/*' -s nat or any other with cni-rdr/* returns nothing

Verifying using tcpdump on lo0, cni-pdoman0 and interface created for jail packets are redirected
1781263033634.png

On other system after upgrade from 14.3-RELEASE to 15.0-RELEASE I have encountered similar problem but with jail with vnat=new and epair interface connected to bridge. Packet moving between and are seen on other ends but cannot achieve connection on the same host (jail <-> host, jail <-> jail).
 
I have found that on 15.0-RELEASE only the bridge can have an IP address. Do not assign a static IP address to the physical interface or allow it to fetch one via DHCP. This may be something that also affects Podman on FreeBSD 15.0, I have not tried it with a bridge that has a lagg0 parent.

I have started using dhcpcd for some machines with IPv6 as I am using it with Void Linux. For the time being on FreeBSD 15.0-RELEASE, I am only using static assignments when a bridge is in /etc/rc.conf . I need to learn more about configuring dhcpcd on FreeBSD.
 
On devices where I have issue with podman my interfaces are not members of any bridge. On one (laptop) I have configured lagg to fallback between wlan and physical connection.
These computers act as routers, so I cannot asign interfaces for external network to bridges that act as switches in internal network.
Bridges have assigned IP address and interface from epair that is assigned to jail have IP address. Other interface from epair is left without IP address.
Case after upgrade I have mentioned is somehow different, and I have mentioned it because in my opinion the core root of the problem may be the same. At this point, I'm assuming that changes in network stack in FreeBSD after 14 may have impact on that.
 
You must log in or register to reply here.
Back
Top