Rootless bridge: preserve source IPs via pesto/pasta

[Honny1]

Require passta version:

This requires the pesto binary, available since passt-0^20260507.g1afd4ed.

Local Passt Setup + testing

# Build pasta with pesto support
git clone git://passt.top/passt 
cd passt
git checkout ec96f0124282 
b4 shazam https://archives.passt.top/passt-dev/20260506092241.1607480-1-sbrivio@redhat.com/
make 
sudo make install

cd ../podman
make binaries
make localintegration FOCUS_FILE=run_networking_test.go

TODO:

• Proper vendor container-libs
• Rebase + drop commit after merging removal of slirp (Podman6: Remove slirp #27828)
• Documentation
• Deal with the strict pasta version question.

---

Add rootless_port_forwarder="pasta" option in containers.conf that switches rootless bridge port forwarding from rootlessport to pasta, preserving source IPs. The default remains rootlessport.

Problem

When running rootless containers on a bridge network (podman run -p 8080:80 --network mynet), the old rootlessport userspace TCP/UDP proxy destroyed source IP information. Every connection appeared to come from 127.0.0.1 inside the container, regardless of the actual client IP.

Solution

Pesto is a client tool for passta that dynamically updates port forwarding rules via a UNIX domain socket. Instead of proxying traffic in userspace (which loses source IPs), pesto configures pasta to forward at the kernel level using splice (localhost) or TAP (external traffic), preserving the original source IP.

How it works

Host -> pasta (splice/TAP) -> rootless netns -> netavark bridge DNAT -> container

1. A shared pasta instance runs in the rootless network namespace with a control socket (-c pasta.sock)
2. On container start: netavark sets up the bridge + nftables DNAT rules, then pesto --add registers ports in pasta's forwarding table
3. On container stop: pesto --delete removes the container's ports, then netavark tears down bridge/DNAT
4. On network connect/disconnect/reload: port forwarding state is updated accordingly

Key implementation details:

• HostIP stripping in the netavark wrapper (convertNetOpts): when rootless_port_forwarder="pasta" is active, HostIP is stripped from port mappings before passing to netavark. Pesto handles host-side address binding; netavark's DNAT rules inside the rootless netns must not restrict on destination address since pasta's splice delivers traffic with a different destination than the user-specified HostIP
• Dual-stack binding: when no explicit HostIP is set, pesto binds both 0.0.0.0 and [::] so IPv6 networks work out of the box
• Config toggle: rootless_port_forwarder in [network] section of containers.conf selects between rootlessport (default) and pasta

Current limitations

• Same port on different HostIPs (e.g. -p 127.0.0.1:8080:80 and -p 127.0.0.2:8080:80 on separate containers) does not work in pasta mode because HostIP stripping causes conflicting DNAT rules. This requires destination mapping support in pesto.

Fixes: https://redhat.atlassian.net/browse/RUN-2214
Fixes: #8193
Fixes: https://redhat.atlassian.net/browse/RUN-3587

Depends on: passt >= passt-0^20260507.g1afd4ed
Depends on: containers/container-libs#755
Depends on: #27828
Depends on: #28451

Checklist

Ensure you have completed the following checklist for your pull request to be reviewed:

• Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all
  commits. (git commit -s). (If needed, use git commit -s --amend). The author email must match
  the sign-off email address. See CONTRIBUTING.md
  for more information.
• Referenced issues using Fixes: #00000 in commit message (if applicable)
• Tests have been added/updated (or no tests are needed)
• Documentation has been updated (or no documentation changes are needed)
• All commits pass make validatepr (format/lint checks)
• Release note entered in the section below (or None if no user-facing changes)

Does this PR introduce a user-facing change?

Add experimental rootless_port_forwarder="pasta" option in containers.conf. When enabled, rootless bridge network port forwarding uses pasta's kernel-level forwarding (via pesto) instead of rootlessport's userspace proxy, preserving the original client source IP inside containers. Requires a passt build with pesto support. The default remains rootlessport.

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[packit-as-a-service]

tmt tests failed for commit 9fc6f49. @lsm5, @psss, @thrix please check.

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[packit-as-a-service]

tmt tests failed for commit f511d44. @lsm5, @psss, @thrix please check.

[Luap99]

which should ensure to document the exact pasta behavior is still experimental and subject to change

[Luap99]

I would have the switch case over r.config.Network.RootlessPortForwarder here and error on invalid value instead of the main containers.conf validation in common, see my other comment there

[Luap99]

having these branched to be == "rootlessport" would seem more logic to readers.
Also overall it would be helpful to define both strings as content and use them consistently then to avoid typos and allow code readers easily check of where they are referenced

[Luap99]

well then put them into the file where they are used instead of this no lint thing

[Luap99]

I am not sure about all of these tests

for source ip we have podman networking: port with --userns=keep-id for rootless or --uidmap=* for rootful system test

And in general we have a ton of other networking tests already, I rather not duplicate a bunch of slightly different cases.

If we want to test this then we likely want to create a loop over selected existing network tests that run twice with both rootlessport/pasta

[Luap99]

that does not seem to match this though..., it is the exact inverse from the other case below...