VyOS has added container with podman. When a container is created, podman will try to use iptables to create source nat rules. However, VyOS uses nftables to create nat rules. After a nat rule is created (especially when the target is masquerade), the command iptables -t nat -L will not work. Next, if we try to add a container, podman will return error Error adding network: failed to list chains: running [/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.2 (nf_tables): table 'nat' is incompatible, use 'nft' tool.
Description
Description
Details
Details
- Difficulty level
- Unknown (require assessment)
- Version
- -
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Unspecified (possibly destroys the router)
- Issue type
- Unspecified (please specify)
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | dmbaturin | T2216 Containerized third-party applications for VyOS | |||
| Resolved | BUG | Viacheslav | T3499 Podman is not compatible with nat rules |
Event Timeline
Comment Actions
@Yuanandyuan Can you reproduce it with vyos cli? Or it raw podman commands?
Port mapping will be available after that PR https://github.com/vyos/vyos-1x/pull/818
I think for user-defined networks it should be some rules in vyos-cli for DNAT.
As I understand for native portmap used iptables only
https://github.com/containernetworking/plugins
Comment Actions
To reproduce the bug, we need to add a source nat rule first.
configure set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address masquerade commit save exit
Then if we try to list the nat tables with iptables iptables -t nat -L, we will get error like table 'nat' is incompatible, use 'nft' tool.
Next, if we use podman to create a container sudo podman run -d ubuntu:latest, podman will return the error because it will look up nat rules with iptables.
Comment Actions
We use the netavark plugin for the containers, which fixes this.
set container name alp01 image 'alpine' set container name alp01 network NET01 set container network NET01 prefix '100.64.0.0/24'
check:
vyos@r4# sudo nft list table ip nat
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain VYOS_PRE_SNAT_HOOK {
type nat hook postrouting priority srcnat - 1; policy accept;
return
}
chain NETAVARK-CD96EA02B89A8 {
ip daddr 100.64.0.0/24 counter packets 0 bytes 0 accept
ip daddr != 224.0.0.0/4 counter packets 0 bytes 0 masquerade
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 0 bytes 0 jump NETAVARK-HOSTPORT-MASQ
ip saddr 100.64.0.0/24 counter packets 0 bytes 0 jump NETAVARK-CD96EA02B89A8
}
chain NETAVARK-HOSTPORT-SETMARK {
counter packets 0 bytes 0 meta mark set mark or 0x2000
}
chain NETAVARK-HOSTPORT-MASQ {
meta mark & 0x00002000 == 0x00002000 counter packets 0 bytes 0 masquerade
}
chain NETAVARK-HOSTPORT-DNAT {
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 0 bytes 0 jump NETAVARK-HOSTPORT-DNAT
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
fib daddr type local counter packets 0 bytes 0 jump NETAVARK-HOSTPORT-DNAT
}
}
[edit]
vyos@r4#
[edit]
vyos@r4#
[edit]
vyos@r4# sudo nft list table ip filter
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain NETAVARK_FORWARD {
ip daddr 100.64.0.0/24 ct state related,established counter packets 0 bytes 0 accept
ip saddr 100.64.0.0/24 counter packets 0 bytes 0 accept
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump NETAVARK_FORWARD
}
}
[edit]
vyos@r4#
vyos@r4# run show version all | match netav
ii netavark 1.4.0-4 amd64 Rust based network stack for containers
[edit]
vyos@r4#