-
|
I noticed that with podman, rootless containers have internet connectivity without enabling the host's packet forwarding: $ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0$ nft list ruleset
chain Fwd {
type filter hook forward priority filter; policy drop;
}Is this because the TAP interface the containers use is (so to speak) one level below the IP/packet layer, bypassing that need? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
I wouldn't say it operates below the IP/packet layer - more that it manually replicates the NAT/forwarding performed by the kernel in root containers. |
Beta Was this translation helpful? Give feedback.
-
|
I see. Documentation on tun/tap seems sparse and articles mostly cover the use of bridge interfaces which I don't think are involved here. But delving further into this risks veering off-topic, so thanks! |
Beta Was this translation helpful? Give feedback.
I wouldn't say it operates below the IP/packet layer - more that it manually replicates the NAT/forwarding performed by the kernel in root containers.