summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-08-23 20:51:19 +0200
committerChristian Poessinger <christian@poessinger.com>2021-08-23 20:51:19 +0200
commit209ce3d9b6fb09626a7abe3540b888566b739de8 (patch)
treee194a33bdeefa5c1838ec60b35e1b3c928dff22d /src/conf_mode
parente12d00325deedb38e92bcce355833d225ab82705 (diff)
downloadvyos-1x-209ce3d9b6fb09626a7abe3540b888566b739de8.tar.gz
vyos-1x-209ce3d9b6fb09626a7abe3540b888566b739de8.zip
container: T3769: when container networks are used, always bridge the networks
As VyOS is a network operation system with bridging and NATing available from the VyOS CLI, it makes no sense to let podman do it's own sort of "NAT". If one really want's to NAT into a container, use the VyOS CLI to do so. If you wan't to bridge your networks, use the VyOS CLI to do so.
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/containers.py18
1 files changed, 16 insertions, 2 deletions
diff --git a/src/conf_mode/containers.py b/src/conf_mode/containers.py
index 5b863fa03..78664dfd9 100755
--- a/src/conf_mode/containers.py
+++ b/src/conf_mode/containers.py
@@ -26,6 +26,8 @@ from vyos.configdict import node_changed
from vyos.util import call
from vyos.util import cmd
from vyos.util import run
+from vyos.util import read_file
+from vyos.util import write_file
from vyos.template import render
from vyos.template import is_ipv4
from vyos.template import is_ipv6
@@ -42,7 +44,7 @@ def _cmd(command):
print(command)
return cmd(command)
-def ctnr_network_exists(name):
+def network_exists(name):
# Check explicit name for network, returns True if network exists
c = _cmd(f'podman network ls --quiet --filter name=^{name}$')
return bool(c)
@@ -201,7 +203,7 @@ def apply(container):
if 'network' in container:
for network, network_config in container['network'].items():
# Check if the network has already been created
- if not ctnr_network_exists(network) and 'prefix' in network_config:
+ if not network_exists(network) and 'prefix' in network_config:
tmp = f'podman network create {network}'
# we can not use list comprehension here as the --ipv6 option
# must immediately follow the specified subnet!!!
@@ -211,6 +213,18 @@ def apply(container):
tmp += ' --ipv6'
_cmd(tmp)
+ # Disable masquerading and use traditional bridging so VyOS
+ # can control firewalling/NAT by the real VyOS CLI
+ cni_network_config = f'/etc/cni/net.d/{network}.conflist'
+ tmp = read_file(cni_network_config)
+ config = json.loads(tmp)
+ if 'plugins' in config:
+ for count in range(0, len(config['plugins'])):
+ if 'ipMasq' in config['plugins'][count]:
+ config['plugins'][count]['ipMasq'] = False
+
+ write_file(cni_network_config, json.dumps(config, indent=4))
+
# Add container
if 'name' in container:
for name, container_config in container['name'].items():