diff --git a/REFERENCE.md b/REFERENCE.md
index 51cb23f6..3e30004f 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -76,6 +76,11 @@ and Manager Daemons (MGR).
* [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
* [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
* [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
+* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
+This class defines additional forwarding rules to let root containers
+reach external networks when using Netavark (since v4.0) or CNI (deprecated).
+At the time of writing, Podman supports automatic configuration
+of firewall rules with iptables and firewalld only.
* [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
* [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
* [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
@@ -1190,6 +1195,14 @@ specify wireguard ports
Default value: `[51820]`
+### `nftables::rules::podman`
+
+Rules for Podman, a tool for managing OCI containers and pods.
+This class defines additional forwarding rules to let root containers
+reach external networks when using Netavark (since v4.0) or CNI (deprecated).
+At the time of writing, Podman supports automatic configuration
+of firewall rules with iptables and firewalld only.
+
### `nftables::rules::puppet`
manage in puppet
diff --git a/manifests/rules/podman.pp b/manifests/rules/podman.pp
new file mode 100644
index 00000000..df1e370d
--- /dev/null
+++ b/manifests/rules/podman.pp
@@ -0,0 +1,17 @@
+# @summary
+# Rules for Podman, a tool for managing OCI containers and pods.
+# This class defines additional forwarding rules to let root containers
+# reach external networks when using Netavark (since v4.0) or CNI (deprecated).
+# At the time of writing, Podman supports automatic configuration
+# of firewall rules with iptables and firewalld only.
+#
+class nftables::rules::podman {
+ nftables::rule {
+ 'default_fwd-podman_establised':
+ content => 'ip daddr 10.88.0.0/16 ct state related,established accept',
+ }
+ nftables::rule {
+ 'default_fwd-podman_accept':
+ content => 'ip saddr 10.88.0.0/16 accept',
+ }
+}
diff --git a/spec/acceptance/all_rules_spec.rb b/spec/acceptance/all_rules_spec.rb
index 6a333838..58c9765b 100644
--- a/spec/acceptance/all_rules_spec.rb
+++ b/spec/acceptance/all_rules_spec.rb
@@ -26,6 +26,7 @@ class { 'nftables':
include nftables::rules::dhcpv6_client
include nftables::rules::afs3_callback
include nftables::rules::ospf
+ include nftables::rules::podman
include nftables::rules::http
include nftables::rules::puppet
include nftables::rules::pxp_agent
diff --git a/spec/classes/rules/podman_spec.rb b/spec/classes/rules/podman_spec.rb
new file mode 100644
index 00000000..5ff7f1ad
--- /dev/null
+++ b/spec/classes/rules/podman_spec.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'nftables::rules::podman' do
+ on_supported_os.each do |os, os_facts|
+ context "on #{os}" do
+ let(:facts) { os_facts }
+
+ context 'default options' do
+ it { is_expected.to compile }
+ it { is_expected.to contain_nftables__rule('default_fwd-podman_establised').with_content('ip daddr 10.88.0.0/16 ct state related,established accept') }
+ it { is_expected.to contain_nftables__rule('default_fwd-podman_accept').with_content('ip saddr 10.88.0.0/16 accept') }
+ end
+ end
+ end
+end