Firewalld port redirect to rootless podman container

Question

I'm having a podman container running rootless on port 8080 and 8443. But I want to have access to them on port 80 and 443.

This is working quite well with firewalld and this command:

firewall-cmd \
  --add-rich-rule "rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080" \
  --add-rich-rule "rule family=ipv6 forward-port port=80 protocol=tcp to-port=8080" \
  --add-rich-rule "rule family=ipv4 forward-port port=443 protocol=tcp to-port=8443" \
  --add-rich-rule "rule family=ipv6 forward-port port=443 protocol=tcp to-port=8443" \
  --add-rich-rule "rule family=ipv4 forward-port port=443 protocol=udp to-port=8443" \
  --add-rich-rule "rule family=ipv6 forward-port port=443 protocol=udp to-port=8443"
firewall-cmd --add-masquerade

But I don't see the correct source IP within the container, it's always the IP of the container itself. I tried also with iptables rules:

firewall-cmd --direct --add-rule ipv4 nat PREROUTING  0 -p tcp --dport 80 -j REDIRECT --to-ports 8080
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -p tcp --dport 8080 -j MASQUERADE

Answer 1

Found out this is actually a quirk of the podman slirp2netns network driver:

slirp4netns[:OPTIONS,…]: use slirp4netns(1) to create a user network stack. It is possible to specify these additional options, they can also be set with network_cmd_options in containers.conf:

...

port_handler=rootlesskit: Use rootlesskit for port forwarding. Default. Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually 10.0.2.100. If the application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks.