Good afternoon everyone
I've been trying to work this out for over a week but I really don't
have a clue past this point.
My notebook runs Arch Linux, running systemd-networkd as network
manager and (trying to) have systemd-nspawn
to work for containers.
I have a few rules in /etc/nftables.conf :
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state { established, related } accept
ct state invalid drop
ip protocol icmp accept
meta l4proto ipv6-icmp accept
udp dport 5353 accept
reject
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
}
}
That somehow conflict with those added by systemd-nspawn, after I
start a container with -n option:
table ip io.systemd.nat {
set masq_saddr {
type ipv4_addr
flags interval
elements = { 192.168.240.176/28 }
}
map map_port_ipport {
type inet_proto . inet_service : ipv4_addr . inet_service
}
chain prerouting {
type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip to meta l4proto . th dport map
@map_port_ipport
}
chain output {
type nat hook output priority -99; policy accept;
ip daddr != 127.0.0.0/8 oif "lo" dnat ip to meta l4proto . th
dport map @map_port_ipport
}
chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept;
ip saddr @masq_saddr masquerade
}
}
Even though I fail to understand how. If, before starting a container,
I flush my ruleset, the networking works as expected within
the container, but if I don't, and my rules are active, I get no
internet connection for the containers.
Any help explaining why and how to fix this problem would be MUCH appreciated.
Thanks
Kevin P.
