Security of sit tunnels inside a container

[Diniboy1123]

Hi, I would like to self-host Piped (privacy friendly frontend for a popular platform). But the platform likes to rate-limit and throttle individuals based on their IP so I am using a tunnelbroker sit tunnel to get an interface up with a /48 IPv6 range and I wrote a rotator proxy that picks a random outbound address for each incoming connection. Finally it exposes a port Piped can use as its proxy.

These two containers therefore need to speak with each other. Normally I would use rootless containers and create a pod so the containers can use each other's ports, but in this case I need both CAP_SYS_ADMIN and CAP_NET_RAW in order to have it working. And it only works under root now, because a regular user cannot just use IP protocol 41 I assume.

So what would be the most optimal way in terms of security to have the interface and the container up in one container and piped running with as little permissions as it needs.

Currently I could get the container up using these, but only if I ran it as root:

podman run -it --rm --name test -e REMOTE_IP=1.1.1.1 -e IPV6_WITH_PREFIX='redacted/64' --cap-add CAP_NET_ADMIN --cap-add CAP_NET_RAW --sysctl net.ipv6.ip_nonlocal_bind=1 v6rotator:latest redacted/48

I wonder if I could even get the sit tunnel working using a rootless user or if I should ditch that idea and somehow have the proxy running in a rootful environment and in that case figure out how can I share the port it exposes to the rootless container.

Here is the source for the container: https://github.com/Diniboy1123/v6rotator/tree/feat/docker

[rhatdan]

I have a feeling this will require rootful containers, but will allow @Luap99 to confirm.

[Luap99]

I haven't checked in the kernel but it wouldn't surprise me that CAP_NET_RAW does not work in a user namespaces. And even if it would I doubt pasta or slirp4netns would be able to forward such traffic.