Packit jobs failed. @containers/packit-build please check.

/packit rebuild-failed

Since GH PR reviews are down posted here in the hope it works

Not supporting ipv6 here is a hard blocker which we cannot ship with as this would be a major regression.

ipv6 dnat work for all addresses except ::1 and I would expect the incoming packet address to be from the tap and not lo? Or I guess that depend on the local splice bypass when the host connection comes from ::1. Maybe adding the --no-splice option to pasta helps with that part cc @sbrivio-rh

Testing locally with the --no-splice option even the real problem is not packets are send via link local address with is never routed

fe80::8880:e9ff:fead:a5cc is the link local inside the rootless netns

18:47:02.596861 enp9s0u2u1u2 In  IP6 fe80::20bc:e1f1:6719:b4ce.35144 > fe80::8880:e9ff:fead:a5cc.8080: Flags [S], seq 625554470, win 65535, options [mss 61440,nop,wscale 8], length 0
18:47:02.596926 enp9s0u2u1u2 Out IP6 fe80::8880:e9ff:fead:a5cc.8080 > fe80::20bc:e1f1:6719:b4ce.35144: Flags [R.], seq 0, ack 625554471, win 0, length 0

But I do have an actual global address assigned as well
inet6 2620:52:0:2c20::1290/64 scope global nodad noprefixroute

So why is pasta not forwarding to that address? If it would do that then it should work I think

Then there is the larger design issue that comes due stripping off the host ip on the podman side in the rootless netns. All packets arrive only on the tap interface in pasta so the netns has no longer any way to route them to the right container ip as the real host ip info is lost at that point, i.e. try something like this all, request will land in one container which is bad and I Am not sure how we could even avoid this here.

podman run --rm  --network bridge -p 127.0.0.1:8080:80  -d nginx
podman run --rm  --network bridge -p 127.0.0.2:8080:80  -d nginx

It is essentially this machine problem containers/podman#14928, we would need to remap ports in the rootless netns dynamically but this is ugly as we need to keep state and it also means we can run out of ports if users forward a lot of ports on many ips on the host but the pasta tap0 interface would only have one set so we get capped at 65535 I guess

It is essentially this machine problem containers/podman#14928, we would need to remap ports in the rootless netns dynamically but this is ugly as we need to keep state and it also means we can run out of ports if users forward a lot of ports on many ips on the host but the pasta tap0 interface would only have one set so we get capped at 65535 I guess

@sbrivio-rh @dgibson I think you talked about the flow table possibly having a destination ip. Is that something that would work today already? I guess it could used to avoid the issue if podman passes the final container ip right with the port mappings and then skip the dnat firewall rules completely because pasta handles it directly in one go

Testing locally with the --no-splice option even the real problem is not packets are send via link local address with is never routed

I just noticed I tested with the wrong network without ipv6 enabled, we must test with a network created with podman network create --ipv6. Still does not work due the link local but now the tcpdump makes more sense and curl times out instead of the connection reset.

19:32:18.855995 enp9s0u2u1u2 In  IP6 fe80::20bc:e1f1:6719:b4ce.51690 > fe80::f469:6cff:fe96:3065.8080: Flags [S], seq 1712433705, win 65535, options [mss 61440,nop,wscale 8], length 0
19:32:18.856044 enp9s0u2u1u2 Out IP6 fe80::f469:6cff:fe96:3065 > fe80::20bc:e1f1:6719:b4ce: ICMP6, destination unreachable, beyond scope fe80::f469:6cff:fe96:3065, source address fe80::20bc:e1f1:6719:b4ce, length 76
19:32:19.856120 enp9s0u2u1u2 In  IP6 fe80::20bc:e1f1:6719:b4ce.51690 > fe80::f469:6cff:fe96:3065.8080: Flags [S], seq 1712433706, win 65535, options [mss 61440,nop,wscale 8], length 0
19:32:19.856209 enp9s0u2u1u2 Out IP6 fe80::f469:6cff:fe96:3065 > fe80::20bc:e1f1:6719:b4ce: ICMP6, destination unreachable, beyond scope fe80::f469:6cff:fe96:3065, source address fe80::20bc:e1f1:6719:b4ce, length 76

But I do have an actual global address assigned as well inet6 2620:52:0:2c20::1290/64 scope global nodad noprefixroute

So why is pasta not forwarding to that address? If it would do that then it should work I think

I just realised that this might be due to Podman passing --map-guest-addr, which is taken into account in the inbound NAT logic:

        } else if (!IN6_IS_ADDR_UNSPECIFIED(&c->ip6.map_guest_addr) &&
                   inany_equals6(addr, &c->ip6.addr)) {
                translated->a6 = c->ip6.map_guest_addr;

I guess we might want to maintain the original scope instead, that is, if the original destination address wasn't a link-local address, we shouldn't convert that. I didn't really think it through, but this definitely looks like something we can fix in pasta.

@sbrivio-rh @dgibson I think you talked about the flow table possibly having a destination ip. Is that something that would work today already? I guess it could used to avoid the issue if podman passes the final container ip right with the port mappings and then skip the dnat firewall rules completely because pasta handles it directly in one go

Ah, yes, that sounds like a good idea! We don't have the interface for that yet, and the destination address is not represented yet in struct fwd_rule, but at this point it should be straightforward to add (I didn't try yet).

We happened to discuss the command line and pesto syntax for that, the seemingly obvious choice would be the same syntax as we use to match on the original destination address, but after the :, that is, say, while:

-t 192.0.2.1/8022:22

forwards traffic originally directed to 192.0.2.1 and port 8022 to port 22 in the container, with the inbound NAT logic I referenced above, we would allow a syntax like:

-t 192.0.2.1/8022:192.0.2.3/22

to also specify a mapped destination IP address. I can give that a try tomorrow, it doesn't really look complicated at this stage.

But I do have an actual global address assigned as well inet6 2620:52:0:2c20::1290/64 scope global nodad noprefixroute
So why is pasta not forwarding to that address? If it would do that then it should work I think

I just realised that this might be due to Podman passing --map-guest-addr, which is taken into account in the inbound NAT logic

If that's the case, the patch at https://archives.passt.top/passt-dev/20260507043149.1989693-1-sbrivio@redhat.com/ (b4 shazam https://archives.passt.top/passt-dev/20260507043149.1989693-1-sbrivio@redhat.com/ ) should probably fix the issue. But I don't know with which parameters pasta is started in your test, and where your connection attempt actually comes from.

I'm looking into the second point meanwhile (which might supersede this one anyway if I understood correctly).

I'm looking into the second point meanwhile (which might supersede this one anyway if I understood correctly).

I sketched destination address mapping at https://archives.passt.top/passt-dev/20260507055036.2110260-1-sbrivio@redhat.com/ (b4 shazam https://archives.passt.top/passt-dev/20260507055036.2110260-1-sbrivio@redhat.com/). Syntax example:

-t 2222:192.0.2.1/2222

but it can be combined with all the other bits, that is, ranges, (outer) interface names, address binding, etc.

Let me know if it's useful, I'll try to quickly publish a complete version if it is.

Let me know if it's useful, I'll try to quickly publish a complete version if it is.

I think so, but I would also like to hear from @Luap99.

Let me know if it's useful, I'll try to quickly publish a complete version if it is.

I think so, but I would also like to hear from @Luap99.

I think it would be useful to have this, but then if we directly NAT in pasta to the container ip we need to rework our approach here I believe.

We need the container destination ip and due the nature of podman network connect/disconnect we would need to update that like we have with the current hacky rootlessport thing. IMO it is not really that maintainable the way the code is structured today, ideally we would move the pesto port setup/teardown into the network Setup() Teardown() in the libnetwork/netavark interface here and not need to do anythign special in podman, though we likely still need to send some option to specify if this is a network connect/disconnect vs initial setup/final teardown.

I am afraid we run out of time for 6.0 with larger changes like this.

-t 2222:192.0.2.1/2222

So how does this work regarding v4/v6 mappings? The host side is a dual stack socket so if pasta handles a v6 request will it NAT that down to v4 with target 192.0.2.1? AFAIK so far pasta has always kept the v4 -> v4/ v6 -> relationship?

Must we split the host mapping into two to avoid this issue?

-t 0.0.0.0/2222:192.0.2.1/2222
-t [2620::]/2222:[fd72::]/2222

How do people feel if we add a new containers.conf option rootless_network_port_forwarder="pasta|rootlessport" and then keep the current logic in addition to the new one and switch based on this option? Use rootlessport as default and call the pasta mode experimental for now until we have time to figure out and fix all edge cases.

That would give us more time until 6.1, we could flip the default there if we are confident that this works properly and users who have issues could revert the setting.

-t 2222:192.0.2.1/2222

So how does this work regarding v4/v6 mappings?

I don't know how it should work, I didn't really think about it. The way I sketched it should actually map any TCP connection, regardless of the IP version, to 192.0.2.1. I'm not sure if it works at all with IPv6.

Proposals / wishes warmly welcome.

The host side is a dual stack socket so if pasta handles a v6 request will it NAT that down to v4 with target 192.0.2.1?

It should, yes.

AFAIK so far pasta has always kept the v4 -> v4/ v6 -> relationship?

Right. I would break that here. Is that an issue or a feature?

There are other options as well:

• only apply that rule to inbound IPv4 traffic
• apply the rule, port-wise, to all traffic, but only apply the address transformation to IPv4
• drop IPv6 traffic

Must we split the host mapping into two to avoid this issue?

-t 0.0.0.0/2222:192.0.2.1/2222
-t [2620::]/2222:[fd72::]/2222

That would definitely be less ambiguous.

How do people feel if we add a new containers.conf option rootless_network_port_forwarder="pasta|rootlessport" and then keep the current logic in addition to the new one and switch based on this option? Use rootlessport as default and call the pasta mode experimental for now until we have time to figure out and fix all edge cases.

That would give us more time until 6.1, we could flip the default there if we are confident that this works properly and users who have issues could revert the setting.

I think it's a good idea in general. I'm just a bit worried that users might expect source addresses to be finally preserved, but it doesn't happen and we'll get flooded with bug reports. But I guess it's anyway the best option for users, especially if it's acceptable to flip the default later.

I agree with the new containers.conf option (rootless_network_port_forwarder). I agree to move pesto into the libnetwork/netavark Setup()/Teardown() interface. (I will do that next week, maybe split them)

I've made changes on the Podman side and wrote e2e tests covering the scenarios discussed here. Here is a commit https://github.com/containers/podman/pull/28478/changes/b3c787e1d10078f01c4c17f8c308a68bbaf780dcwith prototype changes to make the tests pass. I will do the cleanup next week. @Luap99 let me know if I'm missing any scenarios.

Also, I tried using AI to solve the issue on Passt side. Here's a summary of what needs fixing on the Passt side. For the record, I did Passt changes with full AI assist.

if ((spec = strchr(buf, '/')) &&
    strchr(spec, ':') == strchr(buf, ':')) {

if ((spec = strchr(buf, '/')) &&
    (strchr(spec, ':') == strchr(buf, ':') ||
     buf[0] == ':' || buf[0] == '[')) {

if (!c->no_splice && inany_is_loopback(&ini->eaddr) &&
    (inany_is_unspecified(&rule->daddr) || !inany_v4(&ini->eaddr)) &&
    (proto == IPPROTO_TCP || proto == IPPROTO_UDP)) {

pesto --add -t 127.0.0.1/5714:172.43.0.2/5714
pesto --add -t 127.0.0.2/5714:172.43.0.3/5714

} else if (!inany_is_unspecified(&rule->daddr) &&
           !inany_is_linklocal6(&rule->daddr)) {
    tgt->oaddr.a6 = c->ip6.addr;
} else {
    tgt->oaddr.a6 = c->ip6.our_tap_ll;
}

connect to [fd00:44::2]:5372 from [fd00:44::1]:43934   ← wrong

connect to [172.30.0.2]:5295 from [192.168.64.2]:47820  ← correct

if (!inany_is_unspecified(&rule->daddr)) {
    tgt->eaddr = rule->daddr;
    if (inany_v4(&tgt->eaddr))
        tgt->oaddr = inany_any4;
    else
        tgt->oaddr.a6 = c->ip6.addr_seen;
}

if (!inany_is_unspecified(&tgt->oaddr)) {
    union sockaddr_inany bind_sa;

    pif_sockaddr(c, &bind_sa, tgtpif, &tgt->oaddr, tgt->oport);
    if (bind(conn->s[1], &bind_sa.sa, socklen_inany(&bind_sa)))
        flow_trace(conn, "Can't bind splice socket: %s",
                   strerror_(errno));
}

@sbrivio-rh What do you think about changes to Passt?

@sbrivio-rh What do you think about changes to Passt?

I don't think they are particularly useful at the moment. That's a draft I hacked up quickly and kept it light on purpose (with no error handling, without adjusting other functions in fwd.c, etc.).

We need to define the behaviour we want first (based on what we think would be least surprising for users, and also as generic / powerful as possible), see my comment above. Then we can add a proper implementation.

I shared that draft in the hope it would help you speeding up integration and to check how to cover specific aspects that @Luap99 brought up. If you have any specific issue let me know and I'll be happy to fix it.

I also have the feeling that we shouldn't use LLMs to communicate about these design topics, a bit because of the policy (https://github.com/containers/podman/blob/main/LLM_POLICY.md#no-llm-generated-direct-communication), and a bit because we would just regress to average, which isn't exactly what we want here as we have an original design question to answer in the best possible way.

Other than that, let me know if I can help in any way, or if you have preferences or input about the possible behaviours I listed above. Thanks!

I shared that draft in the hope it would help you speeding up integration and to check how to cover specific aspects that @Luap99 brought up. If you have any specific issue let me know and I'll be happy to fix it.

I also have the feeling that we shouldn't use LLMs to communicate about these design topics, a bit because of the policy (https://github.com/containers/podman/blob/main/LLM_POLICY.md#no-llm-generated-direct-communication), and a bit because we would just regress to average, which isn't exactly what we want here as we have an original design question to answer in the best possible way.

My intention was to get a head start on the integration. I tried using AI to resolve the issues on the Pasta side because I am unfamiliar with the codebase, and it seemed like the fastest workaround. I just wanted to share my progress, but I completely agree that relying on AI for this isn't the correct approach.

@Luap99 I've made the adjustments and added the rootless_port_forwarder config. I think it's ready for review and merge.

What are the next steps for podman 6.1?

• Destination mapping
• Changing the default for rootless_port_forwarder to pasta
• Depriaction notice of rootlessport

PTAL @containers/podman-maintainers @containers/podman-reviewers

[snip]

fe80::8880:e9ff:fead:a5cc is the link local inside the rootless netns

18:47:02.596861 enp9s0u2u1u2 In  IP6 fe80::20bc:e1f1:6719:b4ce.35144 > fe80::8880:e9ff:fead:a5cc.8080: Flags [S], seq 625554470, win 65535, options [mss 61440,nop,wscale 8], length 0
18:47:02.596926 enp9s0u2u1u2 Out IP6 fe80::8880:e9ff:fead:a5cc.8080 > fe80::20bc:e1f1:6719:b4ce.35144: Flags [R.], seq 0, ack 625554471, win 0, length 0

But I do have an actual global address assigned as well inet6 2620:52:0:2c20::1290/64 scope global nodad noprefixroute

So why is pasta not forwarding to that address? If it would do that then it should work I think

I haven't yet fully understood the picture here. But the short answer here is that we're picking the link-local address for the destination because the source address is link-local. So the next question is why the (translated?) source address is link local. What is the source address of the connection on the outside?

What is the source address of the connection on the outside?

Just for clarity, as I also noted in https://archives.passt.top/passt-dev/20260515005015.6e23cc47@elisabeth/, this isn't really relevant anymore for the pull request at hand (see also #755 (comment)).

If @Luap99 happens to have a quick answer / remember about this test it would still be nice to have this information, though.

I haven't yet fully understood the picture here. But the short answer here is that we're picking the link-local address for the destination because the source address is link-local. So the next question is why the (translated?) source address is link local. What is the source address of the connection on the outside?

Well that is the thing I used a global ip on the host side, does the kernel remap it before pasta sees it somehow?

quick pasta example without relying on the new code here.

terminal 1

$ podman run -d --name test -p 8080:80 nginx

$ curl [2620:52:0:2c20::11c5]:8080

which is the ipv6 with global scope. that is also assigned in the container

terminal 2

$ podman unshare nsenter -n$(podman inspect --format '{{.NetworkSettings.SandboxKey}}' test) ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: enp9s0u2u1u2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 92:52:91:45:7b:74 brd ff:ff:ff:ff:ff:ff
    inet 192.168.188.22/24 brd 192.168.188.255 scope global noprefixroute enp9s0u2u1u2
       valid_lft forever preferred_lft forever
    inet6 2620:52:0:2c20::11c5/64 scope global nodad noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::9052:91ff:fe45:7b74/64 scope link nodad proto kernel_ll 
       valid_lft forever preferred_lft forever

$ podman unshare nsenter -n$(podman inspect --format '{{.NetworkSettings.SandboxKey}}' test) tcpdump  -nn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp9s0u2u1u2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:10:14.303485 IP6 fe80::789d:431b:be0:1007.44650 > fe80::9052:91ff:fe45:7b74.80: Flags [S], seq 683226477, win 65535, options [mss 61440,nop,wscale 8], length 0
11:10:14.303525 IP6 fe80::9052:91ff:fe45:7b74.80 > fe80::789d:431b:be0:1007.44650: Flags [S.], seq 2670966620, ack 683226478, win 65460, options [mss 65460,nop,wscale 10], length 0
11:10:14.303604 IP6 fe80::789d:431b:be0:1007.44650 > fe80::9052:91ff:fe45:7b74.80: Flags [.], ack 1, win 256, length 0
11:10:14.303622 IP6 fe80::789d:431b:be0:1007.44650 > fe80::9052:91ff:fe45:7b74.80: Flags [P.], seq 1:92, ack 1, win 256, length 91: HTTP: GET / HTTP/1.1
11:10:14.303627 IP6 fe80::9052:91ff:fe45:7b74.80 > fe80::789d:431b:be0:1007.44650: Flags [.], ack 92, win 64, length 0
11:10:14.303999 IP6 fe80::9052:91ff:fe45:7b74.80 > fe80::789d:431b:be0:1007.44650: Flags [P.], seq 1:239, ack 92, win 64, length 238: HTTP: HTTP/1.1 200 OK
11:10:14.304067 IP6 fe80::9052:91ff:fe45:7b74.80 > fe80::789d:431b:be0:1007.44650: Flags [P.], seq 239:1135, ack 92, win 64, length 896: HTTP
11:10:14.304104 IP6 fe80::789d:431b:be0:1007.44650 > fe80::9052:91ff:fe45:7b74.80: Flags [.], ack 239, win 256, length 0
11:10:14.304138 IP6 fe80::789d:431b:be0:1007.44650 > fe80::9052:91ff:fe45:7b74.80: Flags [.], ack 1135, win 256, length 0
11:10:14.304316 IP6 fe80::789d:431b:be0:1007.44650 > fe80::9052:91ff:fe45:7b74.80: Flags [F.], seq 92, ack 1135, win 256, length 0
11:10:14.304348 IP6 fe80::9052:91ff:fe45:7b74.80 > fe80::789d:431b:be0:1007.44650: Flags [F.], seq 1135, ack 93, win 64, length 0
11:10:14.304474 IP6 fe80::789d:431b:be0:1007.44650 > fe80::9052:91ff:fe45:7b74.80: Flags [.], ack 1136, win 256, length 0

so the source is fe80... link-local inside the ns, when I look at the tcpdump on the host the interesting thing is that the source ip is correct 2620:52:0:2c20::11c5 but the interface is actually lo not the one with that address so I think this is the kernel knowing this is "local" and hence pasta does the wrong thing in that case. For the regular container case this does not matter as the bound service will accept the connection just fine but for this PR with the "rootless-netns" it means it breaks the routing in that case.

I guess it is fine to ignore for now.

11:17:15.018458 lo    In  IP6 2620:52:0:2c20::11c5.36302 > 2620:52:0:2c20::11c5.8080: Flags [S], seq 2927530124, win 65476, options [mss 65476,sackOK,TS val 2637593676 ecr 0,nop,wscale 10], length 0
11:17:15.018480 lo    In  IP6 2620:52:0:2c20::11c5.8080 > 2620:52:0:2c20::11c5.36302: Flags [S.], seq 2971290539, ack 2927530125, win 65464, options [mss 65476,sackOK,TS val 3246836191 ecr 2637593676,nop,wscale 10], length 0
11:17:15.018493 lo    In  IP6 2620:52:0:2c20::11c5.36302 > 2620:52:0:2c20::11c5.8080: Flags [.], ack 1, win 64, options [nop,nop,TS val 2637593676 ecr 3246836191], length 0
11:17:15.018534 lo    In  IP6 2620:52:0:2c20::11c5.36302 > 2620:52:0:2c20::11c5.8080: Flags [P.], seq 1:92, ack 1, win 64, options [nop,nop,TS val 2637593676 ecr 3246836191], length 91: HTTP: GET / HTTP/1.1
11:17:15.018541 lo    In  IP6 2620:52:0:2c20::11c5.8080 > 2620:52:0:2c20::11c5.36302: Flags [.], ack 92, win 64, options [nop,nop,TS val 3246836191 ecr 2637593676], length 0
11:17:15.018973 lo    In  IP6 2620:52:0:2c20::11c5.8080 > 2620:52:0:2c20::11c5.36302: Flags [P.], seq 1:1135, ack 92, win 64, options [nop,nop,TS val 3246836191 ecr 2637593676], length 1134: HTTP: HTTP/1.1 200 OK
11:17:15.018984 lo    In  IP6 2620:52:0:2c20::11c5.36302 > 2620:52:0:2c20::11c5.8080: Flags [.], ack 1135, win 68, options [nop,nop,TS val 2637593676 ecr 3246836191], length 0
11:17:15.019099 lo    In  IP6 2620:52:0:2c20::11c5.36302 > 2620:52:0:2c20::11c5.8080: Flags [F.], seq 92, ack 1135, win 68, options [nop,nop,TS val 2637593676 ecr 3246836191], length 0
11:17:15.019280 lo    In  IP6 2620:52:0:2c20::11c5.8080 > 2620:52:0:2c20::11c5.36302: Flags [F.], seq 1135, ack 93, win 64, options [nop,nop,TS val 3246836191 ecr 2637593676], length 0
11:17:15.019306 lo    In  IP6 2620:52:0:2c20::11c5.36302 > 2620:52:0:2c20::11c5.8080: Flags [.], ack 1136, win 68, options [nop,nop,TS val 2637593677 ecr 3246836191], length 0

FWIW I was able to confirm actual external connects from a second system were correctly using the global address, so the worst case is only connections from the host are not working via ip6.

I haven't yet fully understood the picture here. But the short answer here is that we're picking the link-local address for the destination because the source address is link-local. So the next question is why the (translated?) source address is link local. What is the source address of the connection on the outside?

Well that is the thing I used a global ip on the host side, does the kernel remap it before pasta sees it somehow?

I don't think so.

quick pasta example without relying on the new code here.

terminal 1

$ podman run -d --name test -p 8080:80 nginx

$ curl [2620:52:0:2c20::11c5]:8080

which is the ipv6 with global scope. that is also assigned in the container

Aha! I'd been assuming the external connection was coming from somewhere else, rather than from the host on the address shared with the container. This curl will (in most circumstances) use that address as both the source and destination. IIUC, podman invokes pasta with an IPv4 --map-guest-addr but not an IPv6 one. I think I know what's going on here, see below.

[snip]

so the source is fe80... link-local inside the ns, when I look at the tcpdump on the host the interesting thing is that the source ip is correct 2620:52:0:2c20::11c5 but the interface is actually lo not the one with that address so I think this is the kernel knowing this is "local" and hence pasta does the wrong thing in that case.

It's arguably doing the wrong thing, but it's not related to the host interface. There's essentiall no mechanism by which that could affect things. The relevant code is this stanza in fwd_nat_from_host():

	if (!nat_inbound(c, &ini->eaddr, &tgt->oaddr)) {
		if (inany_v4(&ini->eaddr)) {
			if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.our_tap_addr))
				/* No source address we can use */
				return PIF_NONE;
			tgt->oaddr = inany_from_v4(c->ip4.our_tap_addr);
		} else {
			tgt->oaddr.a6 = c->ip6.our_tap_ll;
		}
	}

nat_inbound() is failing on the (host side) source address, because it is the same as the container address, so this block is invoked. This is essentially a translation of last resort - we're using pasta's internal link-local address on the container side, and therefore the container's link-local address as well.

I'll grant that's kind of weird, but what should we do instead? We could simply drop the connection, but that doesn't seem desirable either. To translate without altering address scope, we need a global scope address we can use. You can specify that with --map-guest-addr <global IPv6 address> which will already override this fallback behaviour.

Doing better automatically is tricky, because we don't really have the power to allocate global addresses anywhere. We can't use the gateway address as we do for IPv4, because that will nearly always also be link-local, so it will have the same problem. Maybe we search for a free RFC4193 address (fc00::/7)? Unlike the IPv4 equivalents (10.0.0.0/8 etc.) that's a large enough address space, that we can be pretty confident to find something that won't conflict with something the host is already using. Does that make sense to do in pasta? Or would it make more sense to do in podman and pass --map-guest-addr?

LGTM

/lgtm

It seems that /lgtm command doesn't work here.