Skip to content

network

network

Rootless networking helpers.

The slirp4netns gateway and resolv.conf parsing live here so nothing in the firewall path has to reach into the broader podman_info package just to derive a host address or DNS server.

slirp4netns_gateway(cidr=None)

Compute the slirp4netns gateway address (CIDR base + 2).

Reads containers.conf for a cidr= override when cidr is None. Falls back to the default CIDR on malformed input.

Source code in src/terok_shield/podman_info/network.py 
20
21
22
23
24
25
26
27
28
29
30
def slirp4netns_gateway(cidr: str | None = None) -> str:
    """Compute the slirp4netns gateway address (``CIDR base + 2``).

    Reads ``containers.conf`` for a ``cidr=`` override when *cidr* is None.
    Falls back to the default CIDR on malformed input.
    """
    try:
        net = ipaddress.IPv4Network(cidr or parse_slirp4netns_cidr())
    except ValueError:
        net = ipaddress.IPv4Network(_DEFAULT_SLIRP4NETNS_CIDR)
    return str(net.network_address + 2)

parse_slirp4netns_cidr()

Read the slirp4netns CIDR from containers.conf, or return the default.

User config (XDG) is checked first in rootless mode, then system paths. When running as root, user config is skipped to prevent untrusted XDG_CONFIG_HOME from influencing firewall rules.

Source code in src/terok_shield/podman_info/network.py 
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
def parse_slirp4netns_cidr() -> str:
    """Read the slirp4netns CIDR from ``containers.conf``, or return the default.

    User config (XDG) is checked first in rootless mode, then system paths.
    When running as root, user config is skipped to prevent untrusted
    ``XDG_CONFIG_HOME`` from influencing firewall rules.
    """
    paths = list(reversed(_SYSTEM_CONF_PATHS))
    if os.geteuid() != 0:
        paths.insert(0, _user_containers_conf())
    for path in paths:
        for opt in _parse_network_cmd_options(path):
            if opt.startswith("cidr="):
                return opt.split("=", 1)[1]
    return _DEFAULT_SLIRP4NETNS_CIDR

parse_resolv_conf(text)

Extract the first nameserver address from resolv.conf content.

Returns an empty string if no valid nameserver line is found.

Source code in src/terok_shield/podman_info/network.py 
66
67
68
69
70
71
72
73
74
75
def parse_resolv_conf(text: str) -> str:
    """Extract the first ``nameserver`` address from resolv.conf content.

    Returns an empty string if no valid nameserver line is found.
    """
    for line in text.splitlines():
        parts = line.strip().split()
        if len(parts) >= 2 and parts[0] == "nameserver":
            return parts[1]
    return ""