Cannot resolve hostnames in container on FreeBSD

[Jomy10]

I am running podman on FreeBSD. I can't resolve any hostnames in the container though. When I use ping to ping a hostname, it fails with "bad address", however when pinging the ip address, it succeeds.

Steps to reproduce

~ # podman run -it --os=linux --rm docker.io/alpine
/ # ping google.com
ping: bad address 'google.com'
/ # ping 108.177.15.101
PING 108.177.15.101 (108.177.15.101): 56 data bytes
64 bytes from 108.177.15.101: seq=0 ttl=103 time=11.769 ms
64 bytes from 108.177.15.101: seq=1 ttl=103 time=11.315 ms

Container info

/ # cat /etc/resolv.conf
nameserver 185.12.64.1
nameserver 185.12.64.2

/ # cat /etc/alpine-release
3.20.3

System info

~ # podman --version                                                                           root@jomy
podman version 5.1.1

```                        `       root@xxxx.xxx
  ` `.....---.......--.```   -/    -------------
  +o   .--`         /y:`      +.   OS: FreeBSD 14.1-RELEASE amd64
   yo`:.            :o      `+-    Uptime: 2 days, 15 hours, 9 mins
    y/               -/`   -o/     Packages: 122 (pkg)
   .-                  ::/sy+:.    Shell: zsh 5.9
   /                     `--  /    Terminal: /dev/pts/1
  `:                          :`   CPU: Intel Xeon (Skylake, IBRS, no TSX) (2) @ 2.294GHz
  `:                          :`   GPU: Virtio 1.0 GPU
   /                          /    Memory: 2259MiB / 3957MiB
   .-                        -.
    --                      -.
     `:`                  `:`
       .--             `--.
          .---.....----.

[Luap99]

cc @dfr

[dfr]

I tried this locally and so far I can't reproduce the problem. It is possible that something isn't set up right with your pf config. Can you paste the contents of your /etc/pf.conf here and also double check that pf is running, e.g. with sudo system pf status.

[Jomy10]

Hey, thank you for your response!

pf is running.
Here's my pf.conf (I blanked out the ip address):

# /etc/pf.conf

##########
# Macros #
##########

# Change these to the interface(s) with the default route
v4egress_if = "vtnet0"
v6egress_if = "vtnet0"

## Set public interface ##
ext_if = "vtnet0"

## Set server public IP address
ext_if_ip = <server-ip-address>

## Set and drop IP ranges on public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
	      10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
	      0.0.0.0/8, 240.0.0.0/4 }"

## Set http (80) and https (443) ports ##
webports = "{http, https}"

## enable services ##
int_tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh}" # mail also goes here
int_udp_services = "{domain, ntp}"

##########
# Tables #
##########

table <cni-nat>

###########
# Options #
###########

## Skip loop back interface ##
set skip on lo

## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if

######################
# Ethernet filtering #
######################

#########################
# Traffic normalization #
#########################

# Deal with attacks based on incorrect handling of packet fragments
scrub in all

############
# Queueing #
############

###############
# Translation #
###############

### PODMAN ###
nat on $v4egress_if inet from <cni-nat> to any -> ($v4egress_if)
nat on $v6egress_if inet6 from <cni-nat> to !ff00::/8 -> ($v6egress_if)

rdr-anchor "cni-rdr/*"
nat-anchor "cni-rdr/*"
### END PODMAN ###

####################
# Packet Filtering #
####################

## Set default policy ##
block return in log all
block out all

# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

## Blocking spoofed packets
antispoof quick for $ext_if

# Allow SSH from any IP address
pass in inet proto tcp to $ext_if port ssh

# Allow Ping-Pong stuff. Be a good sysadmin
pass inet proto icmp icmp-type echoreq

# All access to our Nginx/Apache/Lighttpd Webserver ports
pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services

[Jomy10]

I found this in the pf logs:

 00:00:00.546981 rule 0/0(match): block in on cni-podman0: 10.88.0.46.16853 > 185.12.64.1.53: 7220+ A? google.com. (28)
 00:00:00.000028 rule 0/0(match): block in on cni-podman0: 10.88.0.46.16853 > 185.12.64.2.53: 7220+ A? google.com. (28)
 00:00:00.000005 rule 0/0(match): block in on cni-podman0: 10.88.0.46.16853 > 185.12.64.1.53: 10983+ AAAA? google.com. (28)
 00:00:00.000003 rule 0/0(match): block in on cni-podman0: 10.88.0.46.16853 > 185.12.64.2.53: 10983+ AAAA? google.com. (28)

However, I'm not sure how to fix this.

[dfr]

I found this in the pf logs:

 00:00:00.546981 rule 0/0(match): block in on cni-podman0: 10.88.0.46.16853 > 185.12.64.1.53: 7220+ A? google.com. (28)
 00:00:00.000028 rule 0/0(match): block in on cni-podman0: 10.88.0.46.16853 > 185.12.64.2.53: 7220+ A? google.com. (28)
 00:00:00.000005 rule 0/0(match): block in on cni-podman0: 10.88.0.46.16853 > 185.12.64.1.53: 10983+ AAAA? google.com. (28)
 00:00:00.000003 rule 0/0(match): block in on cni-podman0: 10.88.0.46.16853 > 185.12.64.2.53: 10983+ AAAA? google.com. (28)

However, I'm not sure how to fix this.

I think that 'rule 0/0' is 'block return in log all' which is confusing since you are able to ping from inside the container. Maybe add a pass rule to allow tcp and udp traffic from 10.88.0.0/16?

[dfr]

This seems reasonable (although I don't usually use much more than the podman nat and rdr rules. Next thing to check on packets containing DNS queries:

1. Do they get correctly NATed to the host IP address - check with something like tcpdump -i vtnet0 port dns
2. If not, try to figure out if some rule in the PF config is blocking - check with tcpdump on pflog0
3. If the packets manage to leave through vtnet0, are the replies visible?
4. Do they get back into the container after reversing the NAT from step 1. This is a little tricky - look for interfaces with names starting with 'vnet' and match them to a container - you can use 'ifconfig' to see the interface description which will tell you the container ID. These are the host side of the container's epair and you can tcpdump on them to see traffic to and from the container.

[Jomy10]

Thank you for your help. I tried 1., but I got no output. I then added pass in log all to pf.conf and saw what request where being passed. After adding pass in on cni-podman0 to the end of pf.conf, I am now able to ping google.com.

Again, thank you for your help!