From 94c5bbe48572690e8e877c571e22216df3a928c5 Mon Sep 17 00:00:00 2001
From: Mai Bui <maibui@microsoft.com>
Date: Thu, 11 Jan 2024 15:41:49 +0000
Subject: [PATCH 1/2] [docker-nat] limit privileged flag for nat container

Signed-off-by: Mai Bui <maibui@microsoft.com>
---
 rules/docker-nat.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/docker-nat.mk b/rules/docker-nat.mk
index f4022547ffef..961ca0f8dfa2 100644
--- a/rules/docker-nat.mk
+++ b/rules/docker-nat.mk
@@ -29,7 +29,7 @@ SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG)
 endif
 
 $(DOCKER_NAT)_CONTAINER_NAME = nat
-$(DOCKER_NAT)_RUN_OPT += --privileged -t
+$(DOCKER_NAT)_RUN_OPT += -t
 $(DOCKER_NAT)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
 $(DOCKER_NAT)_RUN_OPT += -v /etc/timezone:/etc/timezone:ro 
 $(DOCKER_NAT)_RUN_OPT += -v /host/warmboot:/var/warmboot

From 573c886091a8a75f0b68b52abd3988c1f99fa224 Mon Sep 17 00:00:00 2001
From: Mai Bui <maibui@microsoft.com>
Date: Tue, 16 Jan 2024 22:11:45 +0000
Subject: [PATCH 2/2] add NET_ADMIN

Signed-off-by: Mai Bui <maibui@microsoft.com>
---
 rules/docker-nat.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/docker-nat.mk b/rules/docker-nat.mk
index 961ca0f8dfa2..0298ace831c2 100644
--- a/rules/docker-nat.mk
+++ b/rules/docker-nat.mk
@@ -29,7 +29,7 @@ SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG)
 endif
 
 $(DOCKER_NAT)_CONTAINER_NAME = nat
-$(DOCKER_NAT)_RUN_OPT += -t
+$(DOCKER_NAT)_RUN_OPT += -t --cap-add=NET_ADMIN
 $(DOCKER_NAT)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
 $(DOCKER_NAT)_RUN_OPT += -v /etc/timezone:/etc/timezone:ro 
 $(DOCKER_NAT)_RUN_OPT += -v /host/warmboot:/var/warmboot