Limit firewall rules to podman interfaces only

[hatkidchan]

Hi!
I wanted to try Podman on my home server and every time I create even a simple container (like with podman run --rm -it ubuntu:22.04) I can't access other devices on the network. I'm using my home server as a router as well, so it really depends on FORWARD chains for a bunch of things.
Problem is that netavark (or podman?) create rules that drop any "invalid" connection, but those rules are applied to all interfaces instead of just podman0!
I have a pretty minimal rules in iptables, iptables-save gives me just a single -t nat -A POSTROUTING -o wan0 -j MASQUERADE, but the moment I start any container, I see rules in filter table, two of which caught my eye:

...
-A INPUT -m comment --comment "netavark firewall rules" -j NETAVARK_INPUT
-A FORWARD -m comment --comment "netavark firewall rules" -j NETAVARK_FORWARD
...

As far as I understand, they forward every packet from INPUT and FORWARD to NETAVARK_INPUT and NETAVARK_FORWARD chains respectively, but they don't limit them just to podman* interfaces, which, combined with -A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP breaks forwarding for me.

I think I can just create a default network and always specify it manually, but it's too error-prone for me and I wasn't able to figure out a way to add a simple -i podman0 and -o podman0 into mentioned rules myself. I can just always do iptables -D NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP after running each container, but that quickly becomes painful.

I don't know if the same happens with Docker, I'll update it once I get to test it.
Podman: 5.3.1
Netavark: 1.13.1

[Luap99]

Why do you need to forward invalid packages?

#774 added this because the kernel leaks packages with the container source ip otherwise in a small race out to the lan.

I think we can certainly limit this to only the netavark bridge interfaces if the general rule causes to much problems.