From 93db89b165f4aaa60bce6ecce8c6bcc2cdeeef1d Mon Sep 17 00:00:00 2001 From: Alexey Dolotov Date: Mon, 18 May 2026 14:09:11 +0000 Subject: [PATCH] contrib/sni-router: document OpenWrt + podman-compose network workaround MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenWrt firewall zones are bound to interface names. With bare podman you can pin the static podman0 bridge into a zone, but podman-compose creates a project-scoped network and netavark spawns a fresh bridge (podman1, podman2, ...) per project — with no firewall rules — so containers lose outbound access. Mark the default network as external/name=podman to attach to the router-managed podman0 instead. Background: #513. --- contrib/sni-router/README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/contrib/sni-router/README.md b/contrib/sni-router/README.md index aed6e9301..de307f74b 100644 --- a/contrib/sni-router/README.md +++ b/contrib/sni-router/README.md @@ -114,6 +114,28 @@ domain's DNS A/AAAA record points to this server before starting. └─────────┘ └─────────┘ ``` +## OpenWrt + podman-compose + +OpenWrt's firewall zones are bound to interface *names*. With bare +`podman` you pin the static `podman0` bridge into a zone and you're +done — but `podman-compose up` creates a project-scoped network, and +netavark spawns a *new* bridge for it (`podman1`, `podman2`, …) that +has no firewall rules, so containers lose outbound access. + +Reuse the pre-configured `podman0` by adding to this compose file: + +```yaml +networks: + default: + external: true + name: podman +``` + +That tells compose to attach to the router-managed network instead of +spinning up a new one. Background: +[discussion #513](https://github.com/9seconds/mtg/discussions/513) +and the [OpenWrt forum thread](https://forum.openwrt.org/t/podman-compose-dontt-have-network-access/250230). + ## Files | File | Purpose |