From 209ce3d9b6fb09626a7abe3540b888566b739de8 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 23 Aug 2021 20:51:19 +0200
Subject: container: T3769: when container networks are used, always bridge the
 networks

As VyOS is a network operation system with bridging and NATing available from
the VyOS CLI, it makes no sense to let podman do it's own sort of "NAT".

If one really want's to NAT into a container, use the VyOS CLI to do so. If you
wan't to bridge your networks, use the VyOS CLI to do so.
---
 src/conf_mode/containers.py | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/conf_mode/containers.py b/src/conf_mode/containers.py
index 5b863fa03..78664dfd9 100755
--- a/src/conf_mode/containers.py
+++ b/src/conf_mode/containers.py
@@ -26,6 +26,8 @@ from vyos.configdict import node_changed
 from vyos.util import call
 from vyos.util import cmd
 from vyos.util import run
+from vyos.util import read_file
+from vyos.util import write_file
 from vyos.template import render
 from vyos.template import is_ipv4
 from vyos.template import is_ipv6
@@ -42,7 +44,7 @@ def _cmd(command):
         print(command)
     return cmd(command)
 
-def ctnr_network_exists(name):
+def network_exists(name):
     # Check explicit name for network, returns True if network exists
     c = _cmd(f'podman network ls --quiet --filter name=^{name}$')
     return bool(c)
@@ -201,7 +203,7 @@ def apply(container):
     if 'network' in container:
         for network, network_config in container['network'].items():
             # Check if the network has already been created
-            if not ctnr_network_exists(network) and 'prefix' in network_config:
+            if not network_exists(network) and 'prefix' in network_config:
                 tmp = f'podman network create {network}'
                 # we can not use list comprehension here as the --ipv6 option
                 # must immediately follow the specified subnet!!!
@@ -211,6 +213,18 @@ def apply(container):
                       tmp += ' --ipv6'
                 _cmd(tmp)
 
+                # Disable masquerading and use traditional bridging so VyOS
+                # can control firewalling/NAT by the real VyOS CLI
+                cni_network_config = f'/etc/cni/net.d/{network}.conflist'
+                tmp = read_file(cni_network_config)
+                config = json.loads(tmp)
+                if 'plugins' in config:
+                    for count in range(0, len(config['plugins'])):
+                        if 'ipMasq' in config['plugins'][count]:
+                            config['plugins'][count]['ipMasq'] = False
+
+                write_file(cni_network_config, json.dumps(config, indent=4))
+
     # Add container
     if 'name' in container:
         for name, container_config in container['name'].items():
-- 
cgit v1.2.3