I am running a custom-built firewall application on my OpenWRT router. This application manipulates the iptables rules and routing table rules dynamically based on packet patterns. This application works perfectly:
- When embedded as a package inside the OpenWRT firmware.
- When run inside a privileged LxC container.
- When run inside a privileged Docker container.
Now, I want to run this inside a unprivileged container. And, I don't even know where to start :)
AFAICT, in an unprivileged container, the network namespace is NOT shared. Then any manipulation of the iptables or routing rules are limited to the container & are not shared with the host. The question(s) I have are:
- First problem is for the firewall-application to intercept the packets on the OpenWRT/Host. Is there any means to forward the packets the container from the host?
- Second problem is to transfer/translate the iptables rules from the container to the host. Is this possible? I am aware we can run an agent on the host/OpenWRT that can use UDS (or socket) to communicate with the application inside the container. But is there any other option without making design changes?
Any pointers will be helpful. I am open to solutions both on docker & LxC.
Thanks in advance, Stackers.
