Avoid privileged container for tunnel GRE over UDP?

Is there a solution to use Foo Over UDP in a unprivileged container?

Using RFC8086 (http://www.rfc-editor.org/rfc/rfc8086.txt), I would like to use Foo over UDP to create a tunnel between my LXD container and a remote server and to encapsulate GRE, or IPIP, in it . I cannot directly use GRE because of NAT (there is one intermediary router doing NAT on which I can only do tcp or udp port-forwarding), so Foo Over UDP looks like a nice solution.

Yet my issue is creating the Foo tunnel is rejected in a unprivileged container (here running Debian 10 or ubuntu 19.04):
ip fou add port 9876 ipproto 47
RTNETLINK answers: Operation not permitted
This works well in a privileged container, but I would like to it avoid to be prvileged…
Is there any way to do this?
Thank you!

[Edit:] Maybe I should also precise that the container has a physical access to the nic, wheras the host has no IP address on that nic. It’s configured like this:

  bridge.driver: native
  bridge.external_interfaces: enp5s0
  ipv4.address: none
  ipv4.firewall: "true"
  ipv4.nat: "false"
  ipv6.address: none
  ipv6.nat: "false"
description: ""
name: lxdbr0
type: bridge
managed: true
status: Created
used_by: [...]

@Kriss I haven’t tested this, but perhaps the ip command is trying to load a kernel module that is not allowed.

If you ensure any kernel modules are loaded on the host before trying to create the tunnel in the container that may fix it.

Hi @tomp
Good idea but that’s not that: lsmod results is unchanged after I execute “ip fou add port […]”. Any other clue maybe?