how does rootless bridge mode work? E.g. vs. macvlan?

[ebryerwork]

When I start a rootless container, it defaults to using the default bridge driver. How is it possible as non-root to create a bridge to the host system's network? Seems like you'd need to be root. It makes me think this isn't a true bridge. For example, I can't ping or ssh into the container from the host system, so it appears that MAC discovery of the container from the host system is not allowed, and so it's not a true bridge. I also noticed in the man page for podman-network-create:

   --driver, -d
       Driver  to manage the network. Currently bridge, macvlan and ipvlan are
       supported. Defaults to bridge.  As  rootless  the  macvlan  and  ipvlan
       driver  have  no access to the host network interfaces because rootless
       networking requires a separate network namespace.

"because rootless networking requires a separate network namespace." Seems like that would apply to rootless bridge mode as well, no?

[Luap99]

some info: https://podman.io/community/meeting/notes/2021-10-05/Podman-Rootless-Networking.pdf

It is a bit outdated, instead is slirp4nents(1) there is also pasta(1). But really the underlying working is similar. Macvlan is technically possible, it is just that it would try to use the interfaces in the podman unshare --rootless-netns namespace so it doesn't help much.
Basically everything is proxied in user space to the rootless namespace.

[ebryerwork]

Interesting. I read your doc and some of the Wikipedia page on tun/tap. The container's slirp stack connects to a tap device in the container's network namespace. Please excuse me if this is a dumb question, but I've wondered how is rootless podman able to create a link on the host, "cni-podman0", that shows up in the output of ip link show? If I try to do that...

$ ip link add br0 type bridge
RTNETLINK answers: Operation not permitted

[Luap99]

They never create any devices on the host. It is an application running as your uses and that just opens normal sockets to create connections just like any other rootless process would.

cni-podman0 is created on the host when you run as root. It is never used as rootless.

[ebryerwork]

I see what you mean about cni-podman0. Going back to that document you sent a link to, the networking looks like:

HOST NS <-> slip4netns <-> Veth pair <-> container NS

I have found in testing that, using rootless bridge networking, the container NS might have local IP 193.166.3.2 (a real IP our on the Internet) and still function properly. How do the packets make it back to the container NS? Is there ip masquerade network address translation going on in the slip4netns step?

[piotr-dobrogost]

@Luap99 ^

[Luap99]

#22943 (comment)