OpenWRT podman with slirp4netns network to create pod which has no access to internet but exposes service

Hi everyone,

I'm getting next error when I attempt to start podman container in OpenWRT. I'm not running OpenWRT in a container, I'm running OpenWRT on bare metal on X86-64.

root@OpenWrt:~# podman run \
> --rm -it \
> --user 1000 \
> --network slirp4netns -p 8081:8080 \
> docker.io/library/busybox \
> /bin/sh 
Error: /usr/bin/slirp4netns failed: "WARNING: Support for seccomp is experimental\nopen(\"/dev/net/tun\"): No such device\nWARNING: Support for IPv6 is experimental\nchild failed(1)\nWARNING: Support for IPv6 is experimental\n"
root@OpenWrt:~#

While on Fedora SilverBlue it works

podman run \
        --rm -it \
        --user 1000 \
        --network slirp4netns -p 8081:8080 \
        docker.io/library/busybox \
        /bin/sh 
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob ea6255c5eee6 done   | 
Copying config f62daa0d2c done   | 
Writing manifest to image destination
~ $ exit

OpenWRT version

root@OpenWrt:~# cat /etc/*release*
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='22.03.6'
DISTRIB_REVISION='r20265-f85a79bcb4'
DISTRIB_TARGET='x86/64'
DISTRIB_ARCH='x86_64'
DISTRIB_DESCRIPTION='OpenWrt 22.03.6 r20265-f85a79bcb4'
DISTRIB_TAINTS=''
NAME="OpenWrt"
VERSION="22.03.6"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 22.03.6"
VERSION_ID="22.03.6"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r20265-f85a79bcb4"
OPENWRT_BOARD="x86/64"
OPENWRT_ARCH="x86_64"
OPENWRT_TAINTS=""
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 22.03.6 r20265-f85a79bcb4"
root@OpenWrt:~# 

Fedora version

cat /etc/*release*
Fedora release 38 (Thirty Eight)
NAME="Fedora Linux"
VERSION="38.20240429.0 (Silverblue)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora Linux 38.20240429.0 (Silverblue)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://silverblue.fedoraproject.org"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-silverblue/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://github.com/fedora-silverblue/issue-tracker/issues"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=38
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=38
SUPPORT_END=2024-05-14
VARIANT="Silverblue"
VARIANT_ID=silverblue
OSTREE_VERSION='38.20240429.0'
Fedora release 38 (Thirty Eight)
Fedora release 38 (Thirty Eight)
cpe:/o:fedoraproject:fedora:38

Why I'm doing this?
The target goal is to create pods which will be running on OpenWRT which containers have no access to outside world but can have exposed services. I was doing as it was described here

Running OpenWrt in podman is not supported. This has come up many times lately... among many other similar threads:

I have update my question to make it very clear that I'm not running OpenWRT in podman

Do not use slirp4netns, is only meant to be used in rootless mode for podman.

Do not even set up a portmapping for your containers, instead use the OpenWrt firewall to handle this.

See: https://openwrt.org/docs/guide-user/virtualization/docker_host?s[]=podman#podman

Many thanks for your reply. I will try to follow the link you have provided.

Many thanks once again. I finally was able to achieve what I wanted. I was able to blokc pods accessing internet and also was able to selectively let pods accessing internet.

If someone needs here's what I did

Blocking forwarding to WAN by commenting the line

root@OpenWrt:~# vi /etc/config/firewall 
root@OpenWrt:~# cat  /etc/config/firewall | grep -A1 -B1 podman
...
#config forwarding
#	option src 'podman'
#	option dest 'wan'
--
....
root@OpenWrt:~# 

Restarting firewall

/etc/init.d/firewall restart

Checking if can access - OK. Access blocked

root@OpenWrt:~# podman exec nginx wget --spider -T 3 --no-check-certificate http://192.168.1.1:80
Connecting to 192.168.1.1:80 (192.168.1.1:80)
wget: can't connect to remote host (192.168.1.1): Connection refused
root@OpenWrt:~# podman exec nginx-cant wget --spider -T 3 --no-check-certificate http://192.168.1.1:80
Connecting to 192.168.1.1:80 (192.168.1.1:80)
wget: can't connect to remote host (192.168.1.1): Connection refused
root@OpenWrt:~# 
root@OpenWrt:~# 
root@OpenWrt:~# 
root@OpenWrt:~# podman exec nginx wget --spider -T 3 --no-check-certificate http://8.8.8.8:53
Connecting to 8.8.8.8:53 (8.8.8.8:53)
wget: can't connect to remote host (8.8.8.8): Connection refused
root@OpenWrt:~# podman exec nginx-cant wget --spider -T 3 --no-check-certificate http://8.8.8.8:53
Connecting to 8.8.8.8:53 (8.8.8.8:53)
wget: can't connect to remote host (8.8.8.8): Connection refused
root@OpenWrt:~# 

Opening using rule

Rule added

config rule
	option name 'Allow-pod-can'
	option src 'podman'
	option dest 'wan'
	option src_ip '10.88.0.201'
	option proto 'all'
	option target 'ACCEPT'

Check access - Ok. Worked as I wanted.

root@OpenWrt:~# vi /etc/config/firewall 
root@OpenWrt:~# 
root@OpenWrt:~# /etc/init.d/firewall restart
root@OpenWrt:~# 
root@OpenWrt:~# 
root@OpenWrt:~# podman exec nginx wget --spider -T 3 --no-check-certificate http://192.168.1.1:80
Connecting to 192.168.1.1:80 (192.168.1.1:80)
remote file exists
root@OpenWrt:~# podman exec nginx-cant wget --spider -T 3 --no-check-certificate http://192.168.1.1:80
Connecting to 192.168.1.1:80 (192.168.1.1:80)
wget: can't connect to remote host (192.168.1.1): Connection refused
root@OpenWrt:~# 
root@OpenWrt:~# 
root@OpenWrt:~# 
root@OpenWrt:~# podman exec nginx wget --spider -T 3 --no-check-certificate http://8.8.8.8:53
Connecting to 8.8.8.8:53 (8.8.8.8:53)
wget: error getting response
root@OpenWrt:~# podman exec nginx-cant wget --spider -T 3 --no-check-certificate http://8.8.8.8:53
Connecting to 8.8.8.8:53 (8.8.8.8:53)
wget: can't connect to remote host (8.8.8.8): Connection refused
root@OpenWrt:~# 

Check with dest_ip

config rule                           
        option name 'Allow-pod-can'   
        option src 'podman'           
        option dest 'wan'             
        option src_ip '10.88.0.201'   
        option dest_ip '192.168.1.1'  
        option proto 'all'            
        option target 'ACCEPT' 

Was able to reach only 192.168.1.1 - OK!

Note in previous test container nginx was able to reach 8.8.8.8:53 but now can't

root@OpenWrt:~# podman exec nginx wget --spider -T 3 --no-check-certificate http://192.168.1.1:80
Connecting to 192.168.1.1:80 (192.168.1.1:80)
remote file exists
root@OpenWrt:~# podman exec nginx-cant wget --spider -T 3 --no-check-certificate http://192.168.1.1:80
Connecting to 192.168.1.1:80 (192.168.1.1:80)
wget: can't connect to remote host (192.168.1.1): Connection refused
root@OpenWrt:~# 
root@OpenWrt:~# 
root@OpenWrt:~# 
root@OpenWrt:~# podman exec nginx wget --spider -T 3 --no-check-certificate http://8.8.8.8:53
Connecting to 8.8.8.8:53 (8.8.8.8:53)
wget: can't connect to remote host (8.8.8.8): Connection refused
root@OpenWrt:~# podman exec nginx-cant wget --spider -T 3 --no-check-certificate http://8.8.8.8:53
Connecting to 8.8.8.8:53 (8.8.8.8:53)
wget: can't connect to remote host (8.8.8.8): Connection refused
root@OpenWrt:~#