From c3a377a265d2ca92b8823be281fa0e487d30692b Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Wed, 18 Feb 2026 15:12:32 +0800
Subject: switch to rocky linux 10, add --init for zombie reaping, fix NAT
 setup

- base image alpine -> rockylinux:10 (cgit/fcgiwrap from EPEL)
- drop spawn-fcgi, use fcgiwrap -s directly
- add --init to reap zombie sshd-auth processes (PID exhaustion fix)
- replace ip addr/route networking with nft DNAT/SNAT/FORWARD rules
- add FORWARD accept rule that was missing for inbound DNAT traffic
---
 start_container.sh | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

(limited to 'start_container.sh')

diff --git a/start_container.sh b/start_container.sh
index 2299390..f93f5df 100755
--- a/start_container.sh
+++ b/start_container.sh
@@ -29,6 +29,7 @@ podman build -t cgit "$(dirname "$0")"
 
 # Run container
 podman run -d \
+    --init \
     --name ${CONTAINER_NAME} \
     --network ${NETWORK} \
     --ip ${PRIVATE_IP} \
@@ -39,11 +40,21 @@ podman run -d \
     -v /git:/git \
     localhost/cgit
 
-# Setup public IP
+# Setup public IP via DNAT/SNAT
 sleep 2
-# Get the container's network interface name (e.g. eth0)
-IFACE=$(podman exec ${CONTAINER_NAME} sh -c "ip -o link | grep -v lo | head -1 | cut -d: -f2 | tr -d ' ' | cut -d@ -f1")
-podman exec ${CONTAINER_NAME} ip addr add ${PUBLIC_IP}/32 dev ${IFACE}
-ip route add ${PUBLIC_IP}/32 via ${PRIVATE_IP}
+OIFACE=$(ip route show default | awk '{print $5; exit}')
+BRIDGE=$(podman network inspect ${NETWORK} 2>/dev/null | python3 -c "import json,sys; print(json.load(sys.stdin)[0]['network_interface'])")
+
+# Clean up any stale rules for this IP
+nft -a list chain ip nat PREROUTING 2>/dev/null | grep "daddr ${PUBLIC_IP} " | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat PREROUTING handle "$h"; done
+nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "snat to ${PUBLIC_IP}" | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
+nft -a list chain inet netavark FORWARD 2>/dev/null | grep "daddr ${PRIVATE_IP} " | grep -oP 'handle \K\d+' | while read h; do nft delete rule inet netavark FORWARD handle "$h"; done
+nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "daddr ${PRIVATE_IP}.*masquerade" | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
+ip route del ${PUBLIC_IP} 2>/dev/null || true
+
+nft add rule ip nat PREROUTING ip daddr ${PUBLIC_IP} dnat to ${PRIVATE_IP}
+nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_IP} oifname ${OIFACE} snat to ${PUBLIC_IP}
+nft insert rule inet netavark FORWARD ip daddr ${PRIVATE_IP} oifname ${BRIDGE} accept
+nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_SUBNET} ip daddr ${PRIVATE_IP} oifname ${BRIDGE} masquerade
 
 echo "Running at https://${DOMAIN}/"
-- 
cgit