wrenn/sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix guest VM outbound networking and DNS resolution

Browse Source 
Add resolv.conf to wrenn-init so guests can resolve DNS, and fix the
host MASQUERADE rule to match vpeerIP (the actual source after namespace
SNAT) instead of hostIP.
This commit is contained in:
Rafeed M. Bhuiyan
2026-03-11 06:02:31 +06:00
parent b4d8edb65b
commit 0c245e9e1c
2 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/network/setup.go
View File

@ -278,9 +278,11 @@ func CreateNetwork(slot *Slot) error {
}
// MASQUERADE for outbound traffic from sandbox.
// After SNAT inside the namespace, outbound packets arrive on the host
// with source = vpeerIP, so we match on that (not hostIP).
if err := iptablesHost(
"-t", "nat", "-A", "POSTROUTING",
"-s", fmt.Sprintf("%s/32", slot.HostIP.String()),
"-s", fmt.Sprintf("%s/32", slot.VpeerIP.String()),
"-o", defaultIface,
"-j", "MASQUERADE",
); err != nil {
@ -314,7 +316,7 @@ func RemoveNetwork(slot *Slot) error {
)
iptablesHost(
"-t", "nat", "-D", "POSTROUTING",
"-s", fmt.Sprintf("%s/32", slot.HostIP.String()),
"-s", fmt.Sprintf("%s/32", slot.VpeerIP.String()),
"-o", defaultIface,
"-j", "MASQUERADE",
)