Limit firewall rules to podman interfaces only #1149
Description
Hi!
I wanted to try Podman on my home server and every time I create even a simple container (like with podman run --rm -it ubuntu:22.04) I can't access other devices on the network. I'm using my home server as a router as well, so it really depends on FORWARD chains for a bunch of things.
Problem is that netavark (or podman?) create rules that drop any "invalid" connection, but those rules are applied to all interfaces instead of just podman0!
I have a pretty minimal rules in iptables, iptables-save gives me just a single -t nat -A POSTROUTING -o wan0 -j MASQUERADE, but the moment I start any container, I see rules in filter table, two of which caught my eye:
...
-A INPUT -m comment --comment "netavark firewall rules" -j NETAVARK_INPUT
-A FORWARD -m comment --comment "netavark firewall rules" -j NETAVARK_FORWARD
...
As far as I understand, they forward every packet from INPUT and FORWARD to NETAVARK_INPUT and NETAVARK_FORWARD chains respectively, but they don't limit them just to podman* interfaces, which, combined with -A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP breaks forwarding for me.
I think I can just create a default network and always specify it manually, but it's too error-prone for me and I wasn't able to figure out a way to add a simple -i podman0 and -o podman0 into mentioned rules myself. I can just always do iptables -D NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP after running each container, but that quickly becomes painful.
I don't know if the same happens with Docker, I'll update it once I get to test it.
Podman: 5.3.1
Netavark: 1.13.1