Migrating from docker to podman: ip filtering.

[garymol]

I'm investigating migrating from docker/docker-compose to podman/*-compose. So far, the process has been fairly smooth, but I've run into an issue as to how to enforce ip filtering on containers under podman.

In the docker world, I can preload the iptables DOCKER-USER chain, so that when docker-compose brings up the services, the rules are already in place. Under podman, I can see that it is possible to apply nftables rules to the filter chain inside the podman network namespace, but that has some issues, and seems to be a hack to add the rules. Notable is that the *-compose service needs to be up first for the namespace to exist, then correlate to the correct namespace, etc. There must be a better way that I am missing.

CNI appears to have plugin capability for nftables firewalling (ie: https://github.com/greenpau/cni-plugins), but I don't see how to pre-create those cni networks with podman in preparation for docker-compose/podman-compose. Is plugin extensions not availble under podman networking yet? Can I define the XML for the CNI network and have podman bring that online?

Any pointers would be much appreciated.
Thanks

Gary.

[rhatdan]

@mheon @Luap99 @flouthoc @baude WDYT?

[mheon]

We can look into adding this in Netavark, but I don't know if it's a 4.0 thing.