Issue Description
We have around 1100 machines running podman and some of them present this problem.
After a container having a port exposure (like 3001) restarts, the DNAT rule for the previous version of the container is still left behind and, when the new container spins up, the DNAT rules are added at the bottom, being evaluated last.
Then the port-forwarding fails as the DNAT rules get evaluated top-down and then the the packages are forwarded to the previous IP address, not the current one.
Broken machine:
$ nft list ruleset | grep "tcp dport 3001"
tcp dport 3001 jump nv_2f259bab_10_88_0_0_nm16_dnat
tcp dport 3001 dnat ip to 10.88.0.20:3001 <-- Previous IP address
ip saddr 10.88.0.0/16 tcp dport 3001 jump NETAVARK-HOSTPORT-SETMARK
ip saddr 127.0.0.1 tcp dport 3001 jump NETAVARK-HOSTPORT-SETMARK
tcp dport 3001 dnat ip to 10.88.0.28:3001
Working machine:
$ nft list ruleset | grep "tcp dport 3001"
tcp dport 3001 jump nv_2f259bab_10_88_0_0_nm16_dnat
ip saddr 10.88.0.0/16 tcp dport 3001 jump NETAVARK-HOSTPORT-SETMARK
ip saddr 127.0.0.1 tcp dport 3001 jump NETAVARK-HOSTPORT-SETMARK
tcp dport 3001 dnat ip to 10.88.0.51:3001
I tried to find this issue reported but I didn't. We found something at netavark here but nothing referenced in this repo.
Steps to reproduce the issue
Steps to reproduce the issue
- Run a container exposing the port
3001
- Restart several times
nft list ruleset | grep "tcp dport 3001"
Describe the results you received
You should see two IPs pointing to the same 3001 port eventually.
Describe the results you expected
Only one IP should point to the same port, ever.
podman info output
# podman info
host:
arch: arm64
buildahVersion: 1.38.1
cgroupControllers:
- cpuset
- cpu
- io
- memory
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.12-3.fc41.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.12, commit: '
cpuUtilization:
idlePercent: 85.99
systemPercent: 6.69
userPercent: 7.32
cpus: 4
databaseBackend: sqlite
distribution:
distribution: fedora
variant: iot
version: "41"
eventLogger: journald
freeLocks: 2041
hostname: 218776-00000000c343d085
idMappings:
gidmap: null
uidmap: null
kernel: 6.12.10-200.fc41.aarch64
linkmode: dynamic
logDriver: journald
memFree: 70037504
memTotal: 965046272
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.13.1-1.fc41.aarch64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.13.1
package: netavark-1.13.1-1.fc41.aarch64
path: /usr/libexec/podman/netavark
version: netavark 1.13.1
ociRuntime:
name: crun
package: crun-1.19.1-1.fc41.aarch64
path: /usr/bin/crun
version: |-
crun version 1.19.1
commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
rundir: /run/user/0/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20250121.g4f2c8e7-2.fc41.aarch64
version: |
pasta 0^20250121.g4f2c8e7-2.fc41.aarch64-pasta
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.3.1-1.fc41.aarch64
version: |-
slirp4netns version 1.3.1
commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
libslirp: 4.8.0
SLIRP_CONFIG_VERSION_MAX: 5
libseccomp: 2.5.5
swapFree: 676511744
swapTotal: 964685824
uptime: 173h 45m 44.00s (Approximately 7.21 days)
variant: v8
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
store:
configFile: /usr/share/containers/storage.conf
containerStore:
number: 7
paused: 0
running: 6
stopped: 1
graphDriverName: overlay
graphOptions:
overlay.imagestore: /usr/lib/containers/storage
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphRootAllocated: 14694191104
graphRootUsed: 10351955968
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Supports shifting: "true"
Supports volatile: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 11
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 5.3.2
Built: 1737504000
BuiltTime: Wed Jan 22 00:00:00 2025
GitCommit: ""
GoVersion: go1.23.4
Os: linux
OsArch: linux/arm64
Version: 5.3.2
Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
No
Additional environment details
Additional environment details
Additional information
It happens to ~10% of our fleet of 1100 machines.
Issue Description
We have around 1100 machines running podman and some of them present this problem.
After a container having a port exposure (like 3001) restarts, the DNAT rule for the previous version of the container is still left behind and, when the new container spins up, the DNAT rules are added at the bottom, being evaluated last.
Then the port-forwarding fails as the DNAT rules get evaluated top-down and then the the packages are forwarded to the previous IP address, not the current one.
Broken machine:
Working machine:
I tried to find this issue reported but I didn't. We found something at netavark here but nothing referenced in this repo.
Steps to reproduce the issue
Steps to reproduce the issue
3001nft list ruleset | grep "tcp dport 3001"Describe the results you received
You should see two IPs pointing to the same 3001 port eventually.
Describe the results you expected
Only one IP should point to the same port, ever.
podman info output
Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
No
Additional environment details
Additional environment details
Additional information
It happens to ~10% of our fleet of 1100 machines.