Skip to content

Podman fails to clean dnat rules for restarted/recreated containers #27516

Description

@eduelias

Issue Description

We have around 1100 machines running podman and some of them present this problem.

After a container having a port exposure (like 3001) restarts, the DNAT rule for the previous version of the container is still left behind and, when the new container spins up, the DNAT rules are added at the bottom, being evaluated last.

Then the port-forwarding fails as the DNAT rules get evaluated top-down and then the the packages are forwarded to the previous IP address, not the current one.

Broken machine:

$ nft list ruleset | grep "tcp dport 3001"
		tcp dport 3001 jump nv_2f259bab_10_88_0_0_nm16_dnat
		tcp dport 3001 dnat ip to 10.88.0.20:3001 <-- Previous IP address
		ip saddr 10.88.0.0/16 tcp dport 3001 jump NETAVARK-HOSTPORT-SETMARK
		ip saddr 127.0.0.1 tcp dport 3001 jump NETAVARK-HOSTPORT-SETMARK
		tcp dport 3001 dnat ip to 10.88.0.28:3001

Working machine:

$ nft list ruleset | grep "tcp dport 3001"
		tcp dport 3001 jump nv_2f259bab_10_88_0_0_nm16_dnat
		ip saddr 10.88.0.0/16 tcp dport 3001 jump NETAVARK-HOSTPORT-SETMARK
		ip saddr 127.0.0.1 tcp dport 3001 jump NETAVARK-HOSTPORT-SETMARK
		tcp dport 3001 dnat ip to 10.88.0.51:3001

I tried to find this issue reported but I didn't. We found something at netavark here but nothing referenced in this repo.

Steps to reproduce the issue

Steps to reproduce the issue

  1. Run a container exposing the port 3001
  2. Restart several times
  3. nft list ruleset | grep "tcp dport 3001"

Describe the results you received

You should see two IPs pointing to the same 3001 port eventually.

Describe the results you expected

Only one IP should point to the same port, ever.

podman info output

# podman info
host:
  arch: arm64
  buildahVersion: 1.38.1
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-3.fc41.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 85.99
    systemPercent: 6.69
    userPercent: 7.32
  cpus: 4
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: iot
    version: "41"
  eventLogger: journald
  freeLocks: 2041
  hostname: 218776-00000000c343d085
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.12.10-200.fc41.aarch64
  linkmode: dynamic
  logDriver: journald
  memFree: 70037504
  memTotal: 965046272
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-1.fc41.aarch64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-1.fc41.aarch64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: crun-1.19.1-1.fc41.aarch64
    path: /usr/bin/crun
    version: |-
      crun version 1.19.1
      commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250121.g4f2c8e7-2.fc41.aarch64
    version: |
      pasta 0^20250121.g4f2c8e7-2.fc41.aarch64-pasta
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.3.1-1.fc41.aarch64
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.5
  swapFree: 676511744
  swapTotal: 964685824
  uptime: 173h 45m 44.00s (Approximately 7.21 days)
  variant: v8
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 7
    paused: 0
    running: 6
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 14694191104
  graphRootUsed: 10351955968
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 11
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.3.2
  Built: 1737504000
  BuiltTime: Wed Jan 22 00:00:00 2025
  GitCommit: ""
  GoVersion: go1.23.4
  Os: linux
  OsArch: linux/arm64
  Version: 5.3.2

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

It happens to ~10% of our fleet of 1100 machines.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugweekkind/bugCategorizes issue or PR as related to a bug.networkNetworking related issue or featuretriagedIssue has been triaged

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions