Skip to content

routes: Add blackhole route support#1417

Open
p12tic wants to merge 1 commit intocontainers:mainfrom
p12tic:blackhole-routes
Open

routes: Add blackhole route support#1417
p12tic wants to merge 1 commit intocontainers:mainfrom
p12tic:blackhole-routes

Conversation

@p12tic
Copy link

@p12tic p12tic commented Mar 8, 2026

When the gateway field is omitted from a route definition, a blackhole route is created instead of a unicast route. Blackhole routes silently discard packets destined for the specified network.

The gateway field in the Route type is now Optional.

Closes #930

@p12tic p12tic force-pushed the blackhole-routes branch from 6e35a45 to 61fd1f4 Compare March 8, 2026 16:12
@packit-as-a-service
Copy link

packit-as-a-service bot commented Mar 8, 2026

Ephemeral COPR build failed. @containers/packit-build please check.

Luap99
Luap99 requested changes Mar 8, 2026
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that is a great design choice, there are many different route types that could be used in the same spot, i.e. unreachable or prohibit.

I think it would be smarter to add an explicit type field and then let users request blackhole explicitly, that type field should then accept the same names like ip route basically.

@p12tic p12tic force-pushed the blackhole-routes branch 2 times, most recently from 9b96f9a to 55660cc Compare March 9, 2026 15:50
@p12tic
Copy link
Author

p12tic commented Mar 9, 2026
edited
Loading

@Luap99 Is the current version of the PR something what you had in mind?

ip route additionally supports local, multicast, broadcast, throw and nat types. It doesn't make sense to add support for throw and nat and probably doesn't make sense to add support for the rest. I didn't investigate deeper because in any case there's not even issue opened for these, so probably no one needs it.

@p12tic
routes: Add route_type field for blackhole/unreachable/prohibit routes
32cfb23 
Add an explicit route_type field to the Route type that accepts the
same values as ip route: unicast, blackhole, unreachable, prohibit.
Defaults to unicast when not specified.

The gateway field is now optional: it is required for unicast routes
and must not be set for blackhole/unreachable/prohibit routes.

Closes containers#930

Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
@p12tic p12tic force-pushed the blackhole-routes branch from 55660cc to 32cfb23 Compare March 9, 2026 16:12
@p12tic p12tic mentioned this pull request Mar 10, 2026
Draft
6 tasks
@p12tic
Copy link
Author

p12tic commented Mar 10, 2026

This feature has been exposed in podman via containers/podman#28230

@p12tic
Copy link
Author

p12tic commented Mar 12, 2026

@Luap99 Just a friendly ping :)

@Luap99
Copy link
Member

Luap99 commented Mar 12, 2026

Note I am super busy, in particular I like to get #1394 merged first then this PR can add the network creation validation logic for this option here as well.

Of course we still need the type changes in container-libs and podman but when we port the creating logic we should not add even more features in parallel to not complicated that work so this may be a bit stalled for a few weeks.

I try to ensure we still get this into netavark v2/podman v6

@p12tic
Copy link
Author

p12tic commented Mar 13, 2026
edited
Loading

Thanks for explaining, I just wanted to make sure the PR is not forgotten for no reason :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Luap99 Luap99 Luap99 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Attaching container to a network with any routes defined results in fail

2 participants

@p12tic @Luap99