[oasisaimlessly]

Can anyone tell me why neither Docker nor Podman allow you to dynamically modify forwarded ports? It would allow zero-downtime updates of containers (starting new container, wait for it to be healthy, update port forwards, stop old container).

And no, reverse proxies do not solve this problem; lots of protocols (e.g. SSH) have no equivalent to X-Forwarded-For for identifying the remote host.

[bostik]

Likely due to technical limitations. At least docker does its port-forwarding with iptables (or these days, nftables), and the forwarding rules themselves span multiple custom tables/chains. If you ever do 'iptables-save' to inspect what rules have been created when a container is running, it may look a bit funky.

So updating a purportedly single rule might actually require to update several underlying traffic mangling rules, with logic that is not readily apparent. Or even easy to reason about. When you add the ability to route traffic directly from container to container without passing through the outermost interface, things can get quite hairy.