On Wed, 26 Oct 2022 15:07:42 +0200 Paul Holzinger <pholzing(a)redhat.com> wrote:Pcap file is attached.Thanks, it's not the issue I had in mind. Here the ARP exchange already happened, and the ICMP proxy is not tracking the first reply. We might be using this kind of mechanism here, if bind() for ICMP echo sockets is not allowed on the host: https://passt.top/passt/commit/?id=9663378d6d6dcd8275d60b826356cc4be0538231 (this issue was seen in KubeVirt with passt). But I don't have a clear explanation as to why that first reply is ignored, yet. I'll need to look further into this.Not in general. Podman is passing --config-net, so we can be reasonably (but not totally) sure that that's going to be the address used in the future -- the user could still change it manually. In other cases, we might be offering zero or more of DHCP, NDP, DHCPv6, depending on configuration, and nobody guarantees that the container or a guest is actually implementing that. -- StefanoThis difference is due to the fact that pasta allows any IP address to be used by the container, and it will learn that on the first packet. I see the same exact behaviour. We might be able to improve this, but I'm not entirely sure.I might misunderstand how passt/pasta work but it already configured the interface in the netns with the correct ip, no? Why does it need to learn it?