[the8472]

That's neat and quite a unixy solution but still fairly limiting. Are there any plans for a hybrid solution where most of podman runs as non-root via userns but invokes a suid helper to setup the network?

[eriksjolund]

Not exactly what you are asking for but there is a Systemd feature request to add Connect= setting to service unit files. https://github.com/systemd/systemd/issues/23067#issuecomment... (That could a be cool feature)

Also interesting would be to fix the security considerations of using bypass4netns:

"However, it is probably possible to connect to host loopback IPs by exploiting TOCTOU of struct sockaddr * pointers."

There seems to be an implementation idea for how the problem could be fixed:

https://github.com/rootless-containers/bypass4netns/issues/2...