Nixos Nftables and Podman
I’ve switched to nftables only on Nixos by adding the following command to my configuration.nix :
networking.nftables.enable = true;
Everything went well but some of my podman containers are not working. I got the following error on some of them :
Uncaught PDOException: PDO::__construct(): php_network_getaddresses: getaddrinfo for mariadb failed: Temporary failure in name resolution
A simple check shows that the dns is not working well :
# podman exec -it wishthis getent hosts mariadb
[no response]
#
It seems that the containers that do not work are on the second network called reverse.
# podman network list
NETWORK ID NAME DRIVER
000000000000 podman bridge
89192dd0cbc4 reverse bridge
The solution i’ve found is to add the following rule to configuration.nix
networking.firewall.extraInputRules = "iifname \"podman2\" udp dport 53 accept";
Then after a “nixos-rebuild switch” the firewall rules are updated and the podman2 network is added with port 53 (DNS) allowed.
# nft list ruleset
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 383595 bytes 45668336 jump nixos-firewall-local-only
counter packets 18306161 bytes 1938148280 jump NETAVARK_INPUT
}
chain NETAVARK_ISOLATION_2 {
}
chain NETAVARK_ISOLATION_3 {
oifname "podman2" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 jump NETAVARK_ISOLATION_2
}
chain NETAVARK_INPUT {
ip saddr 10.89.1.0/24 udp dport 53 counter packets 57797 bytes 4295138 accept
ip saddr 10.89.1.0/24 tcp dport 53 counter packets 0 bytes 0 accept
}
[...]
iifname "podman2" udp dport 53 accept
[...]
To verify that everything works we can check on the container Bob that the dns is now working :
# podman exec -it Bob getent hosts mariadb
10.89.1.46 mariadb.dns.podman mariadb.dns.podman mariadb