I am attempting to use podman to execute a container running a web server.
This works just fine, but I am unable to redirect from wan -> container.
I have tryied all possible cni network solutions, unfortunately dhcp with macvlan did not work out, since that propably had been some advancement on this..
Any of solutions did not work out.
Whether I use fw3 or fw4, it never redirects to veth device. Currently I am trying with fw4, using nftables(-json). I have built support for cni-nftables but that won't help either.. Currently I am running with ptp (point to point) setup. Very similar to bridge in general..
Let's call LAN 10.99.0.0/16 and podman is 10.89.0.0/24 where VETH has 10.89.0.1 - container, or pod has ip 10.89.0.2. 10.89.0.1:80 does not map to 10.89.0.2:80 even though I publish ports. Publishing won't also publish ports on ANY interface, only directly connecting to 10.89.0.20:80 accesses..
If I locally use curl to retrieve index.html from 10.89.0.2 it works just fine. When I make a redirect from WAN:80 or WAN:whatever(for e.g. 1080) to 10.89.0.2:80 and attempt to curl from WAN ip, failure is guaranteed again. No access.
Firewall does seem to work, if I point a port to 10.99.0.1:80 (luci) - uhttpd serves. uhttpd setup is made so that it runs only at 10.99.0.1 so it won't run on other interfaces except br-lan. But all redirects to veth network fail.
my firewall setup relevant to podman is:
config zone option name 'podman' option input 'ACCEPT' option forward 'ACCEPT' option output 'ACCEPT' option masq '1' option mtu_fix '1' list device 'veth+' list subnet '10.89.0.1/24' option family 'ipv4' config forwarding option src 'lan' option dest 'podman' config redirect option target 'DNAT' option name 'http' list proto 'tcp' option src 'wan' option src_dport '80' option dest_port '80' option dest_ip '10.89.0.2' option enabled '1'
my network config does not have entry for podman, only lan and wan and zerotier vpn.
Any assitance? I am running on a recent snapshot with kernel 5.10 on x86_64.