From c1dec20f0eb91a00ca9f099e6014170d10030a50 Mon Sep 17 00:00:00 2001
From: Amol Yadav <amyssnipet@yahoo.com>
Date: Sun, 17 May 2026 15:24:14 +0530
Subject: [PATCH] fix(pasta): assign map-host-loopback for rootless bridges

---
 libnetwork/pasta/pasta_linux.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/libnetwork/pasta/pasta_linux.go b/libnetwork/pasta/pasta_linux.go
index 33fbc35e6..45c4a5a20 100644
--- a/libnetwork/pasta/pasta_linux.go
+++ b/libnetwork/pasta/pasta_linux.go
@@ -36,6 +36,8 @@ const (
 	// mapGuestAddrIpv4 static ip used as forwarder address inside the netns to reach the host,
 	// given this is a "link local" ip it should be very unlikely that it causes conflicts
 	mapGuestAddrIpv4 = "169.254.1.2"
+
+	mapHostLoopbackOpt = "--map-host-loopback"
 )
 
 type SetupOptions struct {
@@ -276,5 +278,18 @@ func createPastaArgs(opts *SetupOptions) ([]string, []string, []string, error) {
 		mapGuestAddrIPs = append(mapGuestAddrIPs, mapGuestAddrIpv4)
 	}
 
+	// outbound counterpart: without this the /etc/hosts entry podman writes for
+	// host.containers.internal is unreachable from bridge containers
+	hasMapHostLoopback := false
+	for _, opt := range cmdArgs {
+		if opt == mapHostLoopbackOpt {
+			hasMapHostLoopback = true
+			break
+		}
+	}
+	if !hasMapHostLoopback {
+		cmdArgs = append(cmdArgs, mapHostLoopbackOpt, mapGuestAddrIpv4)
+	}
+
 	return cmdArgs, dnsForwardIPs, mapGuestAddrIPs, nil
 }