I'm unable to connect with host's public IP from rootless container

[MastaG]

I'm running podman 5.0.3 on Fedora 40 (x86-64).
On my host I have a webserver (nginx) running which listens on port 80 and 443 on all interfaces.
I have two main interfaces:
br0: 192.168.1.1 (firewalld zone "internal")
ens6f0.300: 94.x.x.x (firewalld zone "external")

Both firewalld zones have port 80tcp and 443tcp open.
So doing a curl on the host works for both http://192.168.1.1 and http://94.x.x.x

This changes when I try it inside my nextcloud rootless container.
Only http://192.168.1.1 seems to work.

$ podman exec -it nextcloud-aio-nextcloud sh

/var/www/html # curl http://192.168.1.1
<!doctype html>
<html>
...
/var/www/html # curl http://94.x.x.x
curl: (7) Failed to connect to 94.x.x.x port 80 after 0 ms: Couldn't connect to server

Very strange that from within the container only 192.168.1.1 seems to work.
podman system info:

host:
  arch: amd64
  buildahVersion: 1.35.4
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 99.3
    systemPercent: 0.19
    userPercent: 0.51
  cpus: 32
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: server
    version: "40"
  eventLogger: journald
  freeLocks: 2006
  hostname: fedora.tno-187.lan
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.8.10-300.fc40.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 592293888
  memTotal: 33543655424
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.10.0-1.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.10.0
    package: netavark-1.10.3-3.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: crun-1.15-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.15
      commit: e6eacaf4034e84185fd8780ac9262bbf57082278
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240510.g7288448-1.fc40.x86_64
    version: |
      pasta 0^20240510.g7288448-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-2.fc40.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 17173569536
  swapTotal: 17179860992
  uptime: 29h 35m 17.00s (Approximately 1.21 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/mastag/.config/containers/storage.conf
  containerStore:
    number: 33
    paused: 0
    running: 32
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/mastag/.local/share/containers/storage
  graphRootAllocated: 230011273216
  graphRootUsed: 83919896576
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 62
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/mastag/.local/share/containers/storage/volumes
version:
  APIVersion: 5.0.3
  Built: 1715299200
  BuiltTime: Fri May 10 02:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.2
  Os: linux
  OsArch: linux/amd64
  Version: 5.0.3

podman network inspect nextcloud-aio:

$ podman network inspect nextcloud-aio 
[
     {
          "name": "nextcloud-aio",
          "id": "531f1a68081f142db599eeba68851d0bacc86fc28a27e451ad0a0ae9d539b45a",
          "driver": "bridge",
          "network_interface": "podman2",
          "created": "2024-05-21T16:44:14.646672265+02:00",
          "subnets": [
               {
                    "subnet": "10.89.1.0/24",
                    "gateway": "10.89.1.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": true,
          "ipam_options": {
               "driver": "host-local"
          },
          "containers": {
          ...

podman container inspect nextcloud-aio-nextcloud:

          "NetworkSettings": {
               "EndpointID": "",
               "Gateway": "",
               "IPAddress": "",
               "IPPrefixLen": 0,
               "IPv6Gateway": "",
               "GlobalIPv6Address": "",
               "GlobalIPv6PrefixLen": 0,
               "MacAddress": "",
               "Bridge": "",
               "SandboxID": "",
               "HairpinMode": false,
               "LinkLocalIPv6Address": "",
               "LinkLocalIPv6PrefixLen": 0,
               "Ports": {
                    "9000/tcp": null
               },
               "SandboxKey": "/run/user/1000/netns/netns-52ddda3a-21da-8a8d-8959-f2ec32797b11",
               "Networks": {
                    "nextcloud-aio": {
                         "EndpointID": "",
                         "Gateway": "10.89.1.1",
                         "IPAddress": "10.89.1.39",
                         "IPPrefixLen": 24,
                         "IPv6Gateway": "",
                         "GlobalIPv6Address": "",
                         "GlobalIPv6PrefixLen": 0,
                         "MacAddress": "3e:0c:d0:f5:c9:2e",
                         "NetworkID": "nextcloud-aio",
                         "DriverOpts": null,
                         "IPAMConfig": null,
                         "Links": null,
                         "Aliases": [
                              "49fe85e9bf0f"
                         ]
                    }
               }
          },

I can't figure out why the rootless container is only capable of connecting with 192.168.1.1 and not with my public ip, while both of these interfaces live on the same host.

Any help would be greatly appreciated :)

[Luap99]

That is to be expected as pasta uses the same ip address in the netns by default so you are not actually connecting to the host in this case, see
the pasta section here for more

[sbrivio-rh]

I guess your container has an address in 94.0.0.0/8, correct? By default, with pasta, the new default rootless network backend, your container will inherit IP addresses and routes from one host upstream interface. See #19213 (comment) for a detailed explanation. Can you please have a look with ip address show inside your container?

[MastaG]

I guess your container has an address in 94.0.0.0/8, correct? By default, with pasta, the new default rootless network backend, your container will inherit IP addresses and routes from one host upstream interface. See #19213 (comment) for a detailed explanation. Can you please have a look with ip address show inside your container?

/var/www/html # ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if132: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 52:35:35:00:68:dc brd ff:ff:ff:ff:ff:ff
    inet 10.89.1.49/24 brd 10.89.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5035:35ff:fe00:68dc/64 scope link 
       valid_lft forever preferred_lft forever

[Luap99]

you have to check podman unshare --rootless-netns ip a when using the bridge network mode

[MastaG]

you have to check podman unshare --rootless-netns ip a when using the bridge network mode

Here's all of them:

$ podman unshare --rootless-netns ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: ens6f0.300: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 9a:9d:04:bc:bb:fd brd ff:ff:ff:ff:ff:ff
    inet 94.x.x.x/22 brd 94.x.x.255 scope global noprefixroute ens6f0.300
       valid_lft forever preferred_lft forever
    inet6 fe80::989d:4ff:febc:bbfd/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
3: podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 4a:d4:29:3e:af:53 brd ff:ff:ff:ff:ff:ff
    inet 10.88.0.1/16 brd 10.88.255.255 scope global podman0
       valid_lft forever preferred_lft forever
    inet6 fe80::48d4:29ff:fe3e:af53/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
4: veth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether aa:08:a8:bc:39:bf brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::a808:a8ff:febc:39bf/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
6: veth2@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether aa:70:53:56:53:12 brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::a870:53ff:fe56:5312/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
7: veth3@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether 2e:a7:ee:53:14:14 brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet6 fe80::2ca7:eeff:fe53:1414/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
9: veth5@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether 3a:da:71:ec:4e:8e brd ff:ff:ff:ff:ff:ff link-netnsid 5
    inet6 fe80::38da:71ff:feec:4e8e/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
10: veth6@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether d2:e2:4a:f8:91:05 brd ff:ff:ff:ff:ff:ff link-netnsid 6
    inet6 fe80::d0e2:4aff:fef8:9105/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
12: veth8@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether ae:4e:11:7c:22:32 brd ff:ff:ff:ff:ff:ff link-netnsid 8
    inet6 fe80::ac4e:11ff:fe7c:2232/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
14: veth10@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether 3e:30:a4:57:23:b7 brd ff:ff:ff:ff:ff:ff link-netnsid 10
    inet6 fe80::3c30:a4ff:fe57:23b7/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
15: veth11@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether 76:d8:a1:b9:6a:99 brd ff:ff:ff:ff:ff:ff link-netnsid 11
    inet6 fe80::74d8:a1ff:feb9:6a99/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
16: veth12@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether 7a:ab:94:18:37:65 brd ff:ff:ff:ff:ff:ff link-netnsid 12
    inet6 fe80::78ab:94ff:fe18:3765/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
17: veth13@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether ce:a6:e7:b7:2d:08 brd ff:ff:ff:ff:ff:ff link-netnsid 13
    inet6 fe80::cca6:e7ff:feb7:2d08/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
20: veth15@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether b2:92:5a:98:ed:96 brd ff:ff:ff:ff:ff:ff link-netnsid 15
    inet6 fe80::b092:5aff:fe98:ed96/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
21: veth16@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether c6:a0:f1:9c:54:8d brd ff:ff:ff:ff:ff:ff link-netnsid 16
    inet6 fe80::c4a0:f1ff:fe9c:548d/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
22: veth17@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether fe:b4:df:dd:8e:ad brd ff:ff:ff:ff:ff:ff link-netnsid 17
    inet6 fe80::fcb4:dfff:fedd:8ead/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
25: veth18@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether 3a:c5:c6:0c:77:3c brd ff:ff:ff:ff:ff:ff link-netnsid 18
    inet6 fe80::38c5:c6ff:fe0c:773c/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
35: veth7@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether 82:91:0c:9c:53:74 brd ff:ff:ff:ff:ff:ff link-netnsid 7
    inet6 fe80::8091:cff:fe9c:5374/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
121: veth4@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether 1a:3f:24:09:1e:31 brd ff:ff:ff:ff:ff:ff link-netnsid 4
    inet6 fe80::183f:24ff:fe09:1e31/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
122: veth9@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether ce:e5:3f:51:e0:45 brd ff:ff:ff:ff:ff:ff link-netnsid 9
    inet6 fe80::cce5:3fff:fe51:e045/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
123: veth1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman0 state UP group default qlen 1000
    link/ether 2a:3b:8e:f7:b8:a5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::283b:8eff:fef7:b8a5/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
124: podman2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether de:e1:82:aa:6f:fd brd ff:ff:ff:ff:ff:ff
    inet 10.89.1.1/24 brd 10.89.1.255 scope global podman2
       valid_lft forever preferred_lft forever
    inet6 fe80::dce1:82ff:feaa:6ffd/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
126: veth19@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman2 state UP group default qlen 1000
    link/ether 6a:53:61:69:e5:1e brd ff:ff:ff:ff:ff:ff link-netnsid 19
    inet6 fe80::6853:61ff:fe69:e51e/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
127: veth14@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman2 state UP group default qlen 1000
    link/ether 36:16:9c:ed:b7:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 14
    inet6 fe80::3416:9cff:feed:b7b9/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
128: veth20@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman2 state UP group default qlen 1000
    link/ether c6:ce:69:f8:b5:fd brd ff:ff:ff:ff:ff:ff link-netnsid 20
    inet6 fe80::c4ce:69ff:fef8:b5fd/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
129: veth21@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman2 state UP group default qlen 1000
    link/ether 06:a9:0b:8d:48:4a brd ff:ff:ff:ff:ff:ff link-netnsid 21
    inet6 fe80::4a9:bff:fe8d:484a/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
130: veth22@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman2 state UP group default qlen 1000
    link/ether 56:04:7f:6f:cb:1d brd ff:ff:ff:ff:ff:ff link-netnsid 22
    inet6 fe80::5404:7fff:fe6f:cb1d/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
131: veth23@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman2 state UP group default qlen 1000
    link/ether 42:f6:2e:3b:4a:96 brd ff:ff:ff:ff:ff:ff link-netnsid 23
    inet6 fe80::40f6:2eff:fe3b:4a96/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
132: veth24@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman2 state UP group default qlen 1000
    link/ether 42:5a:9f:12:14:c8 brd ff:ff:ff:ff:ff:ff link-netnsid 24
    inet6 fe80::405a:9fff:fe12:14c8/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
133: veth25@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman2 state UP group default qlen 1000
    link/ether a6:df:d1:0d:90:ce brd ff:ff:ff:ff:ff:ff link-netnsid 25
    inet6 fe80::a4df:d1ff:fe0d:90ce/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
134: veth26@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman2 state UP group default qlen 1000
    link/ether 3e:b0:4e:1e:85:7d brd ff:ff:ff:ff:ff:ff link-netnsid 26
    inet6 fe80::3cb0:4eff:fe1e:857d/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

The nextcloud-aio bridge network seems to use podman2:

124: podman2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether de:e1:82:aa:6f:fd brd ff:ff:ff:ff:ff:ff
    inet 10.89.1.1/24 brd 10.89.1.255 scope global podman2
       valid_lft forever preferred_lft forever
    inet6 fe80::dce1:82ff:feaa:6ffd/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

[MastaG]

So this still doesn't tell me why I can connect with the host on 192.168.1.1 (br0) and not the interface with my public ip 94.x.x.x (ens6f0.300).
@Luap99 according to the system info, it's using netavark, not pasta: networkBackend: netavark
It worked before on Fedora 39.

[sbrivio-rh]

Because this is associated to your first default route (for IPv4) on the host, I guess. From pasta(1):

       -i, --interface name
              Use host interface name to derive addresses and routes.  Default
              is  to use the interfaces specified by --outbound-if4 and --out‐
              bound-if6, for IPv4 and IPv6 addresses and routes, respectively.
              If no interfaces are given, the interface with the first default
              routes for each IP version is selected.

[MastaG]

That it correct, it's my internet connection and the default gateway to the outside world.
So that's why pasta decided to copy it to the netns? (e.g. the list I see by doing podman unshare --rootless-netns ip a)
And can I also remove it? or will my rootless containers lose their gateway to the internet?

[sbrivio-rh]

So that's why pasta decided to copy it to the netns?

Right, so that from that network namespace, you have no NAT, because the internal address is the same as the external address. It's generally a neat feature but it can be a bit annoying if you're not used to it, I realise.

(e.g. the list I see by doing podman unshare --rootless-netns ip a)

Note that pasta is just copying that one, the rest are interfaces to connect your containers in the same pod/namespace.

And can I also remove it? or will my rootless containers lose their gateway to the internet?

Worse, they'll lose their address. They need an address. What you can do is to specify another address for the namespace -- I don't remember right now how that's done but I'm fairly sure it's documented somewhere.

[MastaG]

Al right, thanks for all of the clarification and explanation.
I'll just don't touch it and keep on using my workaround by resolving my nextcloud domain to 192.168.1.1 as written in my post below.
When I have time I'll try to look into the documentation about interfaces added to netns and their functioning.

[sbrivio-rh]

This: #22653 (comment) is what I meant: pass another address directly to pasta, if you want/need.

[MastaG]

So to give a little bit more background info, I'm running nextcloud-aio which comes with a so called "master" container.
I'm starting it rootless using quadlet, so my .container file looks like:

[Unit]
Description=Nextcloud AIO Master Container
Documentation=https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
After=local-fs.target network.target network-online.target dnsmasq.service
Wants=network-online.target dnsmasq.service
Requires=podman.socket

[Service]
Restart=always
ExecStop=/home/mastag/stop-nextcloud-aio.sh
ExecStartPost=/home/mastag/restart-nextcloud-aio.sh
TimeoutSec=900

[Container]
ContainerName=nextcloud-aio-mastercontainer
Image=docker.io/nextcloud/all-in-one:beta
PublishPort=127.0.0.1:11001:8080
PodmanArgs=--add-host mynextclouddomain:192.168.1.1
Volume=nextcloud_aio_mastercontainer:/mnt/docker-aio-config
Volume=/run/user/1000/podman/podman.sock:/var/run/docker.sock:Z
Network=bridge
SecurityLabelDisable=true
Pull=newer

Environment=APACHE_PORT=11000
Environment=APACHE_IP_BINDING=127.0.0.1
Environment=WATCHTOWER_DOCKER_SOCKET_PATH=/run/user/1000/podman/podman.sock
Environment=NEXTCLOUD_DATADIR="/mnt/data/ncdata"
Environment=AIO_DISABLE_BACKUP_SECTION=true
Environment=NEXTCLOUD_MEMORY_LIMIT=1024M

[Install]
WantedBy=multi-user.target default.target

Now I've tried to work around this by adding this to the master container:

PodmanArgs=--add-host mynextclouddomain:192.168.1.1

But it seems the master container will not pass on the "add-host" field to its child containers so the above workaround only applies to the master container.
So this isn't a valid solution because all the child containers need to be able to connect with https://mynextclouddomein as well.

As a last resort I simply edited the /etc/hosts file on my hosts so it applies system-wide.
This isn't really a satisfying solution, because I still don't understand why I can't connect with my host's public ip.
But it works.