Attaching container to a network with any routes defined results in fail

[CDFN]

Creating network with podman network create --route 10.1.0.0/24,1.1.1.1 --opt no_default_route=1 testserver:

[
     {
          "name": "testserver",
          "id": "dcc38ca4c22e02f94beb62aea608ef13ad14b466f9815bcc284a78e4da9af3a5",
          "driver": "bridge",
          "network_interface": "podman6",
          "created": "2024-02-19T02:36:20.158376838+01:00",
          "subnets": [
               {
                    "subnet": "10.89.6.0/24",
                    "gateway": "10.89.6.1"
               }
          ],
          "routes": [
               {
                    "destination": "10.1.0.0/24",
                    "gateway": "1.1.1.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": true,
          "options": {
               "no_default_route": "true"
          },
          "ipam_options": {
               "driver": "host-local"
          }
     }
]

and then attaching a container to it results in DEBU[0000] ExitCode msg: "netavark (exit code 1): netlink error: network is unreachable (os error 101)". This happens whenever I add any route to that network. Without it, everything works. Worth mentioning network is unavailable on a container after attaching it to this network (even though attach was unsuccessful). It is also unavailable for network without no_default_route opt.

When creating network with podman network create --opt no_default_route=1 testserver results in network:

[
     {
          "name": "testserver",
          "id": "04435b5b0e18173c897137ead3387092fc27e9957d005ef6601180ea41597ed4",
          "driver": "bridge",
          "network_interface": "podman7",
          "created": "2024-02-19T10:54:13.700210416+01:00",
          "subnets": [
               {
                    "subnet": "10.89.7.0/24",
                    "gateway": "10.89.7.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": true,
          "options": {
               "no_default_route": "true"
          },
          "ipam_options": {
               "driver": "host-local"
          }
     }
]

Attach works fine, as expected, network doesn't work due to no_default_route..

My goal is to block access to private network ranges via routes.

Am I doing something wrong or it's possibly netavark bug? Thank you in advance.

[Luap99]

This is a config issue, if you add a route the gateway (next-hop) address must be reachable the kernel will validate this thus the network is unreachable error from the kernel.

If you set the gateway for the route to 127.0.0.1 then it should work I think although it is not really nice I am not sure if it has any downsides.

Sounds like what you really want is a blackhole or unreachable route, i.e. ip route add blackhole 192.168.255.0/24.
This is not what we support today but could certainly be added.

[CDFN]

Thank you for your quick response. Certainly that was config error, as with existing route everything works perfectly. However setting route to 127.0.0.1 doesn't solve my problem (doesn't prevent connections to specified range). Something like blackhole route would be ideal solution for my problem. I might look around how difficult is it to add this feature. Thank you for your input once again!

[CDFN]

Actually it does solve my problem, I just used wrong route (10.0.0.0/24 instead 10.0.0.0/8). I'm sorry for confusion 😁