To host a web server or similar service on a podman or similar cni utilizing system, the best to do it is to ensure that cni does not use firewall/portmapper features at all. Then you create a entry to network config with protocol name that does not exists, for e.g. cni or podman, append options for device and ipaddr + netmask, firewall supports these details even though netifd doesn't do anything to it since protocol does not exist. So now you can make a redirection to your container for selected ports.
Reason to disable firewall/portmapper features is simple, those rules disappear once interface comes up because firewall reloads.
If you write a protocol for it, it won't work, because netifd seems to do something when protocol comes up and you loose routes etc..Technically.. You could manually set them up, as you propably know them- could even have a option for them, but rather than that, I'd like to see a flag for protocol that would allow us to create protocols that are unmanaged/dumb/fake, you could set them up with either valid or invalid details, no matter, as netifd would just set it up and down with chosen details without caring them at all or doing anything to real interface, whether it even exists-
not very useful feature for so many things- but superb for some..