Setting IPMasquerade on a systemd-managed interface (e.g. for running an nspawn
container) automatically sets up a “masquerade" netfilter entry. If an iptables
ruleset exists already, it adds to it. (I think)
But what if I want to change other my firewall rules (unrelated to the
container) without breaking the container’s networking? How would I add the
systemd-generate rule to be added back in?
Example (in Arch):
1. System boots
2. systemd starts iptables.service, which reads its rules from
/etc/iptables/iptables.rules
3. I start a container with nspawn -n, so networkd adds the equivalent of
-A POSTROUTING -s 10.0.0.0/28 -j MASQUERADE
to the ruleset. (At least I think it does.) Everything works fine.
4. I change my firewall rules by editing /etc/iptables/iptables.rules
5. system restart iptables
and voila, my container’s network is broken.
It’d be nice if there were some kind of saying:
cat /etc/iptables/iptables.rules /run/systemd/iptables/rules |
iptables-restore
in iptables.service.
Or is there some other way of accomplishing this?
Thanks,
Johannes.
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
