I'm trying to get a service in a rootless Podman container (BIND DNS server) to respond correctly when using VRRP (via keeepalived) on the host. It seems like Pasta will forward the inbound traffic to the container from the VRRP address, but the responses will be from the regular IP address instead of the VRRP address, which causes the client to ignore the response. I've tried adding Pasta network options to the container, but the behavior seems to be the same.

OS: Centos Stream 9

Podman: 5.2.2

Pasta: 0^20240806.gee36266-2.el9.x86_64-pasta

Outside interface:

ens18

    10.1.1.1/24 (main IP)

    10.1.1.2/32 (VRRP IP)

TCPdump shows the problem (note that the reply packet has source as the main IP, not the VRRP IP:

IP 10.2.2.2.37392 > 10.1.1.2.53: 60211+ [1au] A? www.example.com. (56)

IP 10.1.1.1.53 > 10.2.2.2.37392: 60211*- 1/0/1 A 192.168.254.7 (88)

Tried starting the container with non-default pasta options, but the result is the same:

--network pasta:-I,tap0,-o,10.1.1.2,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp

Any help with possible solutions would be greatly appreciated.

Thanks,

--