Unable to Make Rootful Pods Accessible from External Network

[marshallwp]

For the past week I've been struggling to figure out how to make a published port of a rootful pod accessible outside of the host machine. I'm running OracleLinux 9 with the latest podman from their repository (v5.2.2) installed. Podman is configured to use the nftables firewall_driver. All other settings are defaults.

I've managed to get curl working when I query localhost or the host's DNS Name from the host machine. Unfortunately, no matter what I try, external network traffic to the PublishedPort falls through nftables completely and gets blocked by the nftables default drop/reject statement.

From my experiments, this issue affects pods created via both quadlets and command-line.

Example Quadlets
The below quadlets and caddyfile should create an example pod that reproduces the issue. Copy them to '/etc/containers/systemd/', then run 'systemctl daemon-reload && systemctl start demo' to start it up.

After starting the pod, you can run "curl --insecure 'https://hostname'" on the host and will get "Hello World!" as a response. Attempting to do the same on on a remote machine will fail (at least as far as I've been able to tell).

demo.pod

[Pod]
PodName=demo
PublishPort=443:443/tcp
PublishPort=443:443/udp

caddy.container

[Unit]
Description=Caddy

[Container]
Image=docker.io/library/caddy:2
Pod=demo.pod
AutoUpdate=registry
Environment="WEB_DOMAIN=%H"
Mount=type=bind,source="/etc/containers/systemd/Caddyfile",destination=/etc/caddy/Caddyfile,ro=true
Timezone=local
# Sysctl=net.ipv4.ip_unprivileged_port_start=443

[Service]
ExecReload=podman exec -w /etc/caddy systemd-caddy caddy reload
Restart=always

[Install]
WantedBy=default.target

Caddyfile

{
	# Causes all certificates to be self-signed by default.  Good for quick connectivity testing.
	local_certs

	# Log options
	log {
		format json {
			time_format "iso8601"
		}
	}
}
{$WEB_DOMAIN}:443, localhost:443 {
	# If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser will block those requests
	header / {
		# Enable HTTP Strict Transport Security (HSTS)
		Strict-Transport-Security "max-age=31536000;"
		# Disable FLoC tracking
		Permissions-Policy interest-cohort=()
		# Enable cross-site filter (XSS) and tell browser to block detected attacks
		X-XSS-Protection "1; mode=block"
		# Disallow the site to be rendered within a frame (clickjacking protection)
		# To enable FIDO2 WebAuthn support, set to "SAMEORIGIN" instead of "DENY".
		X-Frame-Options "SAMEORIGIN"
		# Prevent search engines from indexing (optional)
		X-Robots-Tag "none"
	}

	respond "Hello World!"
}

If anyone sees anything wrong here, please let me know! I'm tearing my hair out trying to figure this one out.

[marshallwp]

Finally figured out it was one of our Admin's custom nftables rules that was causing issues.