Problem accessing ipset inside containers (Podman, Toolbox, Distrobox)

[wall-E824]

Describe the bug

I'm building a high-performance L3 firewall API in Python that requires ipset for IP block/allow lists.

Issue:
ipset works perfectly on the Bluefin host system, but fails with "Operation not permitted" inside any container environment (Podman, Toolbox, and Distrobox).

Reproduction steps:

# On host (works):
$ sudo ipset list
Name: test
Type: hash:ip
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xd4cb3b74
Size in memory: 216
References: 0
Number of entries: 0
Members:

# Inside container (fails):
$ distrobox enter Ubuntu-01
📦[user@Ubuntu-01 ~]$ sudo ipset list
ipset v7.19: Kernel error received: Operation not permitted

Context:

• Bluefin is immutable, so applications must run in containers
• This blocks development of network security tools that require ipset
• I've tried various privileged container configurations without success
• The same issue occurs across all container types (Podman native, Toolbox, Distrobox)

Expected behavior:
Containers should be able to access ipset functionality when properly configured with necessary privileges, since Bluefin's immutable nature requires running applications in containers.

Environment:

• Bluefin LTS
• ipset version 7.22

---

What did you expect to happen?

I expected that when running a container with proper privileges (using --privileged, --cap-add=NET_ADMIN, or similar flags), I would be able to use ipset commands inside the container just as I can on the host system. Since Bluefin is immutable and designed for applications to run in containers, I expected there would be a supported way to access kernel-level networking features like ipset from within containers for legitimate use cases like firewall management and network security applications.

Output of bootc status

hive14-mu1-c2@dhcppc72:~$ bootc status
  Staged image: ghcr.io/ublue-os/bluefin:lts
        Digest: sha256:d1a1edc5327d3b6e87f639d57bd18a172f3fa20576680a2b1b633a5a62a1c58e (amd64)
       Version: stream10.1 (2025-11-15T01:00:21Z)

● Booted image: ghcr.io/ublue-os/bluefin:lts
        Digest: sha256:987bf3d825ae35584f9d2c71c6c7ca643a16aeef4228669efb1082d1a2fa7fee (amd64)
       Version: stream10.1 (2025-11-11T01:49:43Z)

  Rollback image: ghcr.io/ublue-os/bluefin:lts
          Digest: sha256:ceb2f991c144dfdb7a11fb5e423dd9d80ad6728ea0a23373512a281f3e101bae (amd64)
         Version: stream10.1 (2025-11-10T10:42:26Z)
hive14-mu1-c2@dhcppc72:~$

Output of groups

Extra information or context

No response

[wall-E824]

Hello, thank you for your response, follow-up, and troubleshooting. Since I don't have enough time because my main project is dependent on this firewall project, and I don't have any other projects or work, I changed the operating system and left.