Hi Johannes You can make the changes w/o tearing down the iptables.
I must admit I have been known to make changes directly to the iptables rules file myself, but reloading the firewall for every change isn't always practicable. Because of that I have adopted a policy of making the change to the running firewall, and then doing a iptables-save > /etc/iptables/iptables.rules The reason the container's networking breaks when you restart iptables is that the masquerade rule is added to the running iptables only and not written to the file. Bear in mind though that if you do save iptables with iptables-save ... whilst your container is running, the masquerade rule will also be saved. Hope this helps On 21 November 2015 at 04:36, Johannes Ernst <johannes.er...@gmail.com> wrote: > Setting IPMasquerade on a systemd-managed interface (e.g. for running an > nspawn container) automatically sets up a “masquerade" netfilter entry. If > an iptables ruleset exists already, it adds to it. (I think) > > But what if I want to change other my firewall rules (unrelated to the > container) without breaking the container’s networking? How would I add the > systemd-generate rule to be added back in? > > Example (in Arch): > > 1. System boots > 2. systemd starts iptables.service, which reads its rules from > /etc/iptables/iptables.rules > 3. I start a container with nspawn -n, so networkd adds the equivalent of > -A POSTROUTING -s 10.0.0.0/28 -j MASQUERADE > to the ruleset. (At least I think it does.) Everything works fine. > > 4. I change my firewall rules by editing /etc/iptables/iptables.rules > 5. system restart iptables > > and voila, my container’s network is broken. > > It’d be nice if there were some kind of saying: > cat /etc/iptables/iptables.rules /run/systemd/iptables/rules | > iptables-restore > in iptables.service. > > Or is there some other way of accomplishing this? > > Thanks, > > > > Johannes. > > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel >
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
