Running Podman sets net.link.bridge.pfil_member to 1

[dabya]

I noticed that any command I run in Podman will set net.link.bridge.pfil_member to 1, even if I set it to 0 before. Is that normal behaviour?

 

[radq2]

Yeah frustrating, I also just saw the issue when running the podman run --rm docker.io/dougrabson/hello command from https://podman.io/docs/installation#installing-on-freebsd. I have to sysctl net.link.bridge.pfil_member=0 to set it back and then service jail restart for my jails to pick up the change.

Did you happen to find out a temporary fix or open a bug I could boost?

 

[dabya]

Sorry for the late reply. I haven't done any digging since then so not bug report yet.

 

[RianKellyIT]

Podman's networking stack (netavark/aardvark-dns) creates bridge interfaces for container isolation and enables pfil_member globally so pf rules apply to container traffic. It does this every time it sets up networking, which is why your manual sysctl reset gets overwritten.

A couple of approaches depending on your FreeBSD version:

If you are on FreeBSD 14+, you can use per-bridge pfil controls instead of the global sysctl. After Podman creates its bridge, the global pfil_member will be 1, but you can disable filtering on your specific jail/VM bridges individually:

ifconfig bridge0 -pfil_member

Add that to your jail startup script or /etc/rc.local. This way Podman's bridges keep their filtering while your bridges remain unfiltered.

On older FreeBSD where pfil is strictly global, the quickest workaround is a devd rule that resets the sysctl whenever a Podman bridge is created, or a post-start hook in your jail config that runs

sysctl net.link.bridge.pfil_member=0

and restarts networking.

The cleaner long-term fix would be for Podman on FreeBSD to only set pfil on its own bridge interfaces rather than flipping the global sysctl. That is arguably a bug worth reporting to the FreeBSD Podman port maintainers.