Description
Love the idea of this, but ran into a brick wall.
Running slim start completely breaks networking for all Apple Containers. Containers lose the ability to reach the internet, the gateway (192.168.64.1), and any external host. API calls from inside containers time out with no error, just silence.
Root cause:
Slim adds its redirect anchor to /etc/pf.conf:
rdr-anchor "com.slim"
load anchor "com.slim" from "/etc/pf.anchors/com.slim"
The anchor itself is benign as the loopback-only redirects:
rdr pass on lo0 inet proto tcp from any to 127.0.0.1 port 80 -> 127.0.0.1 port 10080
rdr pass on lo0 inet proto tcp from any to 127.0.0.1 port 443 -> 127.0.0.1 port 10443
The problem is that slim start runs pfctl -e -f /etc/pf.conf, which loads the entire ruleset, including:
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
These Apple anchors are designed to be loaded on-demand by Apple's own services (the comment in pf.conf says "each component which utilizes PF is responsible for enabling and disabling PF via -E and -X").
When Slim force-enables pf and reloads the full ruleset, it interferes with Apple Container's vmnet NAT layer on the 192.168.64.0/24 subnet. The result is that all container network traffic is silently dropped.
Steps to Reproduce
- Start an Apple Container with network access:
container run --net=bridged alpine sh -c "apk add curl && curl -s https://1.1.1.1"
- This succeeds.
- Run
slim start on any domain (e.g. slim start myapp --port 3000).
- Run the same container command again and it now hangs indefinitely. Even
ping 192.168.64.1 (the vmnet gateway) fails from inside the container.
slim stop alone does not fix it. You must also run:
sudo pfctl -d
container system stop && container system start- Then containers work again.
- Running
slim start again immediately re-breaks container networking. Confirmed this cycle multiple times.
Expected Behavior
Slim's loopback redirect rules should not affect networking on other interfaces. Slim should either:
- Load only its own anchor instead of reloading the entire
/etc/pf.conf ruleset. Something like: pfctl -a com.slim -f /etc/pf.anchors/com.slim
- This would activate Slim's rules without touching the Apple anchors or enabling the global packet filter.
- Use
-E/-X reference counting as Apple's pf.conf comments recommend, rather than pfctl -e which force-enables the entire filter.
- Document the incompatibility with Apple Container / vmnet networking if a fix isn't feasible.
Actual Behavior
Running slim start completely breaks networking for all Apple Containers. Containers lose the ability to reach the internet, the gateway (192.168.64.1), and any external host. API calls from inside containers time out with no error, just silence.
Slim Version
0.8.0
Operating System
macOS
Configuration
Logs
Description
Love the idea of this, but ran into a brick wall.
Running slim start completely breaks networking for all Apple Containers. Containers lose the ability to reach the internet, the gateway (192.168.64.1), and any external host. API calls from inside containers time out with no error, just silence.
Root cause:
Slim adds its redirect anchor to /etc/pf.conf:
The anchor itself is benign as the loopback-only redirects:
The problem is that slim start runs
pfctl -e -f /etc/pf.conf, which loads the entire ruleset, including:These Apple anchors are designed to be loaded on-demand by Apple's own services (the comment in
pf.confsays "each component which utilizes PF is responsible for enabling and disabling PF via -E and -X").When Slim force-enables pf and reloads the full ruleset, it interferes with Apple Container's vmnet NAT layer on the 192.168.64.0/24 subnet. The result is that all container network traffic is silently dropped.
Steps to Reproduce
container run --net=bridged alpine sh -c "apk add curl && curl -s https://1.1.1.1"slim starton any domain (e.g.slim start myapp --port 3000).ping 192.168.64.1(the vmnet gateway) fails from inside the container.slim stopalone does not fix it. You must also run:sudo pfctl -dcontainer system stop && container system startslim startagain immediately re-breaks container networking. Confirmed this cycle multiple times.Expected Behavior
Slim's loopback redirect rules should not affect networking on other interfaces. Slim should either:
/etc/pf.confruleset. Something like:pfctl -a com.slim -f /etc/pf.anchors/com.slim-E/-Xreference counting as Apple's pf.conf comments recommend, rather thanpfctl -ewhich force-enables the entire filter.Actual Behavior
Running
slim startcompletely breaks networking for all Apple Containers. Containers lose the ability to reach the internet, the gateway (192.168.64.1), and any external host. API calls from inside containers time out with no error, just silence.Slim Version
0.8.0
Operating System
macOS
Configuration
Logs