contrib/sni-router: document OpenWrt + podman-compose network workaround#523
Merged
Conversation
OpenWrt firewall zones are bound to interface names. With bare podman you can pin the static podman0 bridge into a zone, but podman-compose creates a project-scoped network and netavark spawns a fresh bridge (podman1, podman2, ...) per project — with no firewall rules — so containers lose outbound access. Mark the default network as external/name=podman to attach to the router-managed podman0 instead. Background: #513.
dolonet
added a commit
to dolonet/mtg-multi
that referenced
this pull request
May 31, 2026
…lidation, dcprobe, proxy-protocol listener) Upstream PRs included: - 9seconds#543 upgrade-go: Go 1.26 + goreleaser/gopls/govulncheck/gofumpt/golangci-lint bumps - 9seconds#540 tts-default-value: document default for tolerate-time-skewness - 9seconds#528 consolidate-sni-check: extract shared runSNICheck (doctor + startup warning) - 9seconds#522 sni-router-host-mode-real-ips: HAProxy host networking for real client IPs - 9seconds#496 doctor/rpc-probe: deepen DC verification with MTProto handshake probe (mtglib/dcprobe) [our PR, round-tripped] - 9seconds#505 doctor/sni-dns-message: surface both public IPs in SNI-DNS mismatch - 9seconds#523 docs/sni-router-openwrt-podman - 9seconds#525 contrib/sni-router-config-example: render mtg-config.toml from tracked .example - 9seconds#510 simple-run-proxy-protocol-listener: --proxy-protocol-listener flag - 9seconds#521 docs/required-default-convention; 9seconds#504 prefer-ipv6 default; 9seconds#514 MTG_SECRET envsubst fix Conflict resolutions (preserve fork behavior): - internal/cli: adopt upstream's runSNICheck refactor but parameterize it with an explicit host, so doctor keeps multi-secret semantics (getFirstSecretHost) while the startup warning keeps using conf.Secret.Host as before. - new files (mtglib/dcprobe, internal/cli/sni_check.go): rewrite module path 9seconds/mtg/v2 -> dolonet/mtg-multi. - contrib/sni-router/README.md: keep fork's "upstream discussion 9seconds#513" wording.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents a footgun spotted via discussion #513: when the
contrib/sni-routerstack is deployed on OpenWrt withpodman-compose, containers lose outbound network access.Root cause:
podman-compose upcreates a project-scoped network, and netavark spawns a fresh bridge (podman1,podman2, …) for it that has no firewall rules — OpenWrt zones are bound to interface names and only know about the staticpodman0from/etc/init.d/podman.The fix is a one-liner the user adds to their local
docker-compose.yml:This PR just adds a short "OpenWrt + podman-compose" section to the sni-router README explaining this, with links to the discussion and the OpenWrt forum thread where two solutions were vetted. Doc-only; no code, no compose-file change (Docker users see no diff).
Background
Notes
external: trueform over plainname: podmanbecause the router-managedpodman0may have IPAM/driver settings that don't match what compose would otherwise try to assert, leading to "network already exists with different settings".external: truemakes "do not touch this network" explicit.docker-compose.yml— it stays portable for Docker users; the README points OpenWrt users at the local override they need.