VyOS has added container with podman. When a container is created, podman will try to use iptables to create source nat rules. However, VyOS uses nftables to create nat rules. After a nat rule is created (especially when the target is masquerade), the command iptables -t nat -L will not work. Next, if we try to add a container, podman will return error Error adding network: failed to list chains: running [/sbin/iptables -t nat -S --wait]: exit status 1: iptables v1.8.2 (nf_tables): table 'nat' is incompatible, use 'nft' tool.
Description
Description
Details
Details
- Difficulty level
- Unknown (require assessment)
- Version
- -
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Unspecified (possibly destroys the router)
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | dmbaturin | T2216 Containerized third-party applications for VyOS | |||
| Open | BUG | None | T3499 Podman is not compatible with nat rules |
Event Timeline
Comment Actions
@Yuanandyuan Can you reproduce it with vyos cli? Or it raw podman commands?
Port mapping will be available after that PR https://github.com/vyos/vyos-1x/pull/818
I think for user-defined networks it should be some rules in vyos-cli for DNAT.
As I understand for native portmap used iptables only
https://github.com/containernetworking/plugins
Comment Actions
To reproduce the bug, we need to add a source nat rule first.
configure set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address masquerade commit save exit
Then if we try to list the nat tables with iptables iptables -t nat -L, we will get error like table 'nat' is incompatible, use 'nft' tool.
Next, if we use podman to create a container sudo podman run -d ubuntu:latest, podman will return the error because it will look up nat rules with iptables.