Skip to content

Container with bridge implicitly enables IPv4 forwarding on ALL interfaces #1125

New issue
New issue
Open
Open
Container with bridge implicitly enables IPv4 forwarding on ALL interfaces#1125
Assignees
troglobit
Labels
bugSomething isn't workingtriagePending investigation & classification (CCB)
@troglobit

Description

@troglobit
troglobit
opened on Aug 31, 2025

Current Behavior

Setting up a container attached to a container bridge causes the CNI bridge plugin to enable IPv4 forwarding (ingress) on all interfaces. (See below, Steps to Reproduce for an example.)

This behavior is nothing unique to CNI, had Infix been running an upgraded Podman with Netavark the behavior would have been the same.

Expected Behavior

Infix is supposed to be the sole manager of IP forwarding on interfaces.

The only way around this is to:

  1. Support for basic firewall, NAT, IP masquerading, port forwarding #448
  2. Refactor confd:cni.c to not set up bridge in managed mode
  3. Auto-generate, or inject, firewall rules based on config

Steps To Reproduce

Start Infamy on full build of Infix:

10:43:53 infamy0:test # ./case/infix_containers/container_bridge/test.py

The following output is from the DUT the test ran on:

$ sysctl -a 2>/dev/null |grep '\.forwarding'
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.docker0.forwarding = 1
net.ipv4.conf.e1.forwarding = 1
net.ipv4.conf.e2.forwarding = 1
net.ipv4.conf.e3.forwarding = 1
net.ipv4.conf.e4.forwarding = 1
net.ipv4.conf.e5.forwarding = 1
net.ipv4.conf.e7.forwarding = 1
net.ipv4.conf.e8.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.veth63fa09f5.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.docker0.forwarding = 1
net.ipv6.conf.e1.forwarding = 1
net.ipv6.conf.e2.forwarding = 1
net.ipv6.conf.e3.forwarding = 1
net.ipv6.conf.e4.forwarding = 1
net.ipv6.conf.e5.forwarding = 1
net.ipv6.conf.e7.forwarding = 1
net.ipv6.conf.e8.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.veth63fa09f5.forwarding = 1

Additional information

This explains why running the infix_containers.yaml test suite multiple times fail, because Infix resets forwarding state to default (disabled) and despite CNI does echo 1 > /proc/sys/net/ipv4/ip_forward it only "bites" the first time.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingtriagePending investigation & classification (CCB)

Type

No type

Projects

Infix & C:o

Status

No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions