I need to mark all packets originating from a specific container, and leave everything else as is.
The important processes are all running as UID 1000 inside the container, which is then mapped to a different one, so marking based on UID also suffices.
I tried tinkering with firewalld, but on F40 it uses iptables-nft, which I have no experience with.
Haven’t checked if it’s changed in F41 yet.
Firewalld is a zone based firewall that allows to mark traffic with rich rules:
firewalld.richlanguage: Rich Language Documentation | firewalld File Formats | Man Pages | ManKier
Podman running in privileged mode creates a bridged network assigned to the trusted zone by default.
You can create a rich rule for marking traffic in the respective zone like this:
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule=\
"rule family=ipv4 destination address=0.0.0.0/0 mark set=0x1"
sudo firewall-cmd --reload