diff --git a/go.mod b/go.mod
index 4b46a66a4c..e5e58071fb 100644
--- a/go.mod
+++ b/go.mod
@@ -13,9 +13,9 @@ require (
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.3.0
 	github.com/containers/buildah v1.30.1-0.20230504052500-e925b5852e07
-	github.com/containers/common v0.53.1-0.20230613173441-e1ea4d9a74e5
+	github.com/containers/common v0.53.1-0.20230615101243-20def0054c6e
 	github.com/containers/conmon v2.0.20+incompatible
-	github.com/containers/image/v5 v5.25.1-0.20230613062531-9e44c062ca20
+	github.com/containers/image/v5 v5.25.1-0.20230613183705-07ced6137083
 	github.com/containers/libhvee v0.0.5
 	github.com/containers/ocicrypt v1.1.7
 	github.com/containers/psgo v1.8.0
@@ -62,8 +62,8 @@ require (
 	github.com/vbauerster/mpb/v8 v8.4.0
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	go.etcd.io/bbolt v1.3.7
-	golang.org/x/net v0.10.0
-	golang.org/x/sync v0.2.0
+	golang.org/x/net v0.11.0
+	golang.org/x/sync v0.3.0
 	golang.org/x/sys v0.9.0
 	golang.org/x/term v0.9.0
 	golang.org/x/text v0.10.0
@@ -154,7 +154,7 @@ require (
 	github.com/sigstore/sigstore v1.6.5 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
-	github.com/sylabs/sif/v2 v2.11.4 // indirect
+	github.com/sylabs/sif/v2 v2.11.5 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/theupdateframework/go-tuf v0.5.2 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
@@ -168,7 +168,7 @@ require (
 	golang.org/x/crypto v0.10.0 // indirect
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect
 	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/oauth2 v0.9.0 // indirect
 	golang.org/x/tools v0.9.3 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
diff --git a/go.sum b/go.sum
index 89b960197d..d0f406910e 100644
--- a/go.sum
+++ b/go.sum
@@ -239,12 +239,12 @@ github.com/containernetworking/plugins v1.3.0 h1:QVNXMT6XloyMUoO2wUOqWTC1hWFV62Q
 github.com/containernetworking/plugins v1.3.0/go.mod h1:Pc2wcedTQQCVuROOOaLBPPxrEXqqXBFt3cZ+/yVg6l0=
 github.com/containers/buildah v1.30.1-0.20230504052500-e925b5852e07 h1:Bs2sNFh/fSYr4J6JJLFqzyn3dp6HhlA6ewFwRYUpeIE=
 github.com/containers/buildah v1.30.1-0.20230504052500-e925b5852e07/go.mod h1:6A/BK0YJLXL8+AqlbceKJrhUT+NtEgsvAc51F7TAllc=
-github.com/containers/common v0.53.1-0.20230613173441-e1ea4d9a74e5 h1:Lc5zOwO6+G/OItXPt4sF1DnE/UAGygiDuVKWW5bqplw=
-github.com/containers/common v0.53.1-0.20230613173441-e1ea4d9a74e5/go.mod h1:F+dtzPF95PXAvc6Rxat7h3PVdBTvifOeBS+tQE/fiNw=
+github.com/containers/common v0.53.1-0.20230615101243-20def0054c6e h1:KO4jk60ESF03gF5apYdLCHeKUvN8YPmWGGMnuQUSmes=
+github.com/containers/common v0.53.1-0.20230615101243-20def0054c6e/go.mod h1:uR5H5gSA7xkoUBmYTR0VFko1FP996JV1VKeZksYz+Qc=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
-github.com/containers/image/v5 v5.25.1-0.20230613062531-9e44c062ca20 h1:Oe+oEssTGb8bRtBbPHInujDIiUOIdPn6vcxOoVo7AV8=
-github.com/containers/image/v5 v5.25.1-0.20230613062531-9e44c062ca20/go.mod h1:oyytyLzwdS0YyBBMHqgQQeWpJhAG7zseE25n+hIJ6Vo=
+github.com/containers/image/v5 v5.25.1-0.20230613183705-07ced6137083 h1:6Pbnll97ls6G0U3DSxaTqp7Sd8Fykc4gd7BUJm7Bpn8=
+github.com/containers/image/v5 v5.25.1-0.20230613183705-07ced6137083/go.mod h1:yRLIs3vw20kCSt3ZvRyX3cp4EIYjNUW6RX9uq2cZ8J8=
 github.com/containers/libhvee v0.0.5 h1:5tUiF2eVe8XbVSPD/Os4dIU1gJWoQgtkQHIjQ5X7wpE=
 github.com/containers/libhvee v0.0.5/go.mod h1:AYsyMe44w9ylWWEZNW+IOzA7oZ2i/P9TChNljavhYMI=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
@@ -940,8 +940,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/sylabs/sif/v2 v2.11.4 h1:4dRvsRFVkyS7e8oD8AEL0HrJocnet05+EFW+DhVb/Ic=
-github.com/sylabs/sif/v2 v2.11.4/go.mod h1:83kqbKZFRFfFLe1ui5BH+rAxF2obICM/i3zto4ivM7s=
+github.com/sylabs/sif/v2 v2.11.5 h1:7ssPH3epSonsTrzbS1YxeJ9KuqAN7ISlSM61a7j/mQM=
+github.com/sylabs/sif/v2 v2.11.5/go.mod h1:GBoZs9LU3e4yJH1dcZ3Akf/jsqYgy5SeguJQC+zd75Y=
 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
@@ -1143,15 +1143,15 @@ golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU=
+golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
-golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
+golang.org/x/oauth2 v0.9.0 h1:BPpt2kU7oMRq3kCHAA1tbSEshXRw1LpG2ztgDwrzuAs=
+golang.org/x/oauth2 v0.9.0/go.mod h1:qYgFZaFiu6Wg24azG8bdV52QJXJGbZzIIsRCdVKzbLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1164,8 +1164,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
-golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
diff --git a/libpod/info_linux.go b/libpod/info_linux.go
index 25104fc43e..37a16b0d94 100644
--- a/libpod/info_linux.go
+++ b/libpod/info_linux.go
@@ -8,6 +8,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/containers/common/libnetwork/pasta"
 	"github.com/containers/common/pkg/apparmor"
 	"github.com/containers/common/pkg/cgroups"
 	"github.com/containers/common/pkg/seccomp"
@@ -72,7 +73,7 @@ func (r *Runtime) setPlatformHostInfo(info *define.HostInfo) error {
 		info.Slirp4NetNS = program
 	}
 
-	pastaPath, _ := r.config.FindHelperBinary(pastaBinaryName, true)
+	pastaPath, _ := r.config.FindHelperBinary(pasta.BinaryName, true)
 	if pastaPath != "" {
 		version, err := util.ProgramVersion(pastaPath)
 		if err != nil {
diff --git a/libpod/networking_pasta_linux.go b/libpod/networking_pasta_linux.go
index dcc924454f..288335ce94 100644
--- a/libpod/networking_pasta_linux.go
+++ b/libpod/networking_pasta_linux.go
@@ -7,105 +7,13 @@
 
 package libpod
 
-import (
-	"fmt"
-	"os/exec"
-	"strings"
-
-	"github.com/sirupsen/logrus"
-)
-
-const (
-	pastaBinaryName = "passt"
-)
+import "github.com/containers/common/libnetwork/pasta"
 
 func (r *Runtime) setupPasta(ctr *Container, netns string) error {
-	var NoTCPInitPorts = true
-	var NoUDPInitPorts = true
-	var NoTCPNamespacePorts = true
-	var NoUDPNamespacePorts = true
-	var NoMapGW = true
-
-	path, err := r.config.FindHelperBinary("pasta", true)
-	if err != nil {
-		return fmt.Errorf("could not find pasta, the network namespace can't be configured: %w", err)
-	}
-
-	cmdArgs := []string{}
-	cmdArgs = append(cmdArgs, "--config-net")
-
-	for _, i := range ctr.convertPortMappings() {
-		protocols := strings.Split(i.Protocol, ",")
-		for _, protocol := range protocols {
-			var addr string
-
-			if i.HostIP != "" {
-				addr = fmt.Sprintf("%s/", i.HostIP)
-			}
-
-			switch protocol {
-			case "tcp":
-				cmdArgs = append(cmdArgs, "-t")
-			case "udp":
-				cmdArgs = append(cmdArgs, "-u")
-			default:
-				return fmt.Errorf("can't forward protocol: %s", protocol)
-			}
-
-			arg := fmt.Sprintf("%s%d-%d:%d-%d", addr,
-				i.HostPort,
-				i.HostPort+i.Range-1,
-				i.ContainerPort,
-				i.ContainerPort+i.Range-1)
-			cmdArgs = append(cmdArgs, arg)
-		}
-	}
-
-	cmdArgs = append(cmdArgs, ctr.config.NetworkOptions["pasta"]...)
-
-	for i, opt := range cmdArgs {
-		switch opt {
-		case "-t", "--tcp-ports":
-			NoTCPInitPorts = false
-		case "-u", "--udp-ports":
-			NoUDPInitPorts = false
-		case "-T", "--tcp-ns":
-			NoTCPNamespacePorts = false
-		case "-U", "--udp-ns":
-			NoUDPNamespacePorts = false
-		case "--map-gw":
-			NoMapGW = false
-			// not an actual pasta(1) option
-			cmdArgs = append(cmdArgs[:i], cmdArgs[i+1:]...)
-		}
-	}
-
-	if NoTCPInitPorts {
-		cmdArgs = append(cmdArgs, "-t", "none")
-	}
-	if NoUDPInitPorts {
-		cmdArgs = append(cmdArgs, "-u", "none")
-	}
-	if NoTCPNamespacePorts {
-		cmdArgs = append(cmdArgs, "-T", "none")
-	}
-	if NoUDPNamespacePorts {
-		cmdArgs = append(cmdArgs, "-U", "none")
-	}
-	if NoMapGW {
-		cmdArgs = append(cmdArgs, "--no-map-gw")
-	}
-
-	cmdArgs = append(cmdArgs, "--netns", netns)
-
-	logrus.Debugf("pasta arguments: %s", strings.Join(cmdArgs, " "))
-
-	// pasta forks once ready, and quits once we delete the target namespace
-	_, err = exec.Command(path, cmdArgs...).Output()
-	if err != nil {
-		return fmt.Errorf("failed to start pasta:\n%s",
-			err.(*exec.ExitError).Stderr)
-	}
-
-	return nil
+	return pasta.Setup(&pasta.SetupOptions{
+		Config:       r.config,
+		Netns:        netns,
+		Ports:        ctr.convertPortMappings(),
+		ExtraOptions: ctr.config.NetworkOptions[pasta.BinaryName],
+	})
 }
diff --git a/test/system/505-networking-pasta.bats b/test/system/505-networking-pasta.bats
index a5cdcd8444..d5b1890641 100644
--- a/test/system/505-networking-pasta.bats
+++ b/test/system/505-networking-pasta.bats
@@ -689,3 +689,21 @@ function teardown() {
     run_podman 126 run --net=pasta -p "${port}:${port}/sctp" $IMAGE true
     is "$output" "Error: .*can't forward protocol: sctp"
 }
+
+@test "podman networking with pasta(1) - Use options from containers.conf" {
+    skip_if_remote "containers.conf must be set for the server"
+
+    containersconf=$PODMAN_TMPDIR/containers.conf
+    mac="9a:dd:31:ea:92:98"
+    cat >$containersconf <<EOF
+[network]
+pasta_options = ["-I", "myname", "--ns-mac-addr", "$mac"]
+EOF
+    CONTAINERS_CONF_OVERRIDE=$containersconf run_podman run --net=pasta $IMAGE ip link show myname
+    assert "$output" =~ "$mac" "mac address is set on custom interface"
+
+    # now, again but this time overwrite a option on the cli.
+    mac2="aa:bb:cc:dd:ee:ff"
+    CONTAINERS_CONF_OVERRIDE=$containersconf run_podman run --net=pasta:--ns-mac-addr,"$mac2" $IMAGE ip link show myname
+    assert "$output" =~ "$mac2" "mac address from cli is set on custom interface"
+}
diff --git a/vendor/github.com/containers/common/libimage/filters.go b/vendor/github.com/containers/common/libimage/filters.go
index 441011edd2..ff50321b77 100644
--- a/vendor/github.com/containers/common/libimage/filters.go
+++ b/vendor/github.com/containers/common/libimage/filters.go
@@ -178,7 +178,7 @@ func (r *Runtime) compileImageFilters(ctx context.Context, options *ListImagesOp
 			filter = filterManifest(ctx, manifest)
 
 		case "reference":
-			filter = filterReferences(value)
+			filter = filterReferences(r, value)
 
 		case "until":
 			until, err := r.until(value)
@@ -268,8 +268,15 @@ func filterManifest(ctx context.Context, value bool) filterFunc {
 }
 
 // filterReferences creates a reference filter for matching the specified value.
-func filterReferences(value string) filterFunc {
+func filterReferences(r *Runtime, value string) filterFunc {
+	lookedUp, _, _ := r.LookupImage(value, nil)
 	return func(img *Image) (bool, error) {
+		if lookedUp != nil {
+			if lookedUp.ID() == img.ID() {
+				return true, nil
+			}
+		}
+
 		refs, err := img.NamesReferences()
 		if err != nil {
 			return false, err
@@ -306,6 +313,7 @@ func filterReferences(value string) filterFunc {
 				}
 			}
 		}
+
 		return false, nil
 	}
 }
diff --git a/vendor/github.com/containers/common/libnetwork/etchosts/ip.go b/vendor/github.com/containers/common/libnetwork/etchosts/ip.go
index 2b8186e72c..b81274abf7 100644
--- a/vendor/github.com/containers/common/libnetwork/etchosts/ip.go
+++ b/vendor/github.com/containers/common/libnetwork/etchosts/ip.go
@@ -1,8 +1,6 @@
 package etchosts
 
 import (
-	"net"
-
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/libnetwork/util"
 	"github.com/containers/common/pkg/config"
@@ -29,7 +27,7 @@ func GetHostContainersInternalIP(conf *config.Config, netStatus map[string]types
 	// Only use the bridge ip when root, as rootless the interfaces are created
 	// inside the special netns and not the host so we cannot use them.
 	if unshare.IsRootless() {
-		return getLocalIP()
+		return util.GetLocalIP()
 	}
 	for net, status := range netStatus {
 		network, err := networkInterface.NetworkInspect(net)
@@ -53,27 +51,7 @@ func GetHostContainersInternalIP(conf *config.Config, netStatus map[string]types
 	if ip != "" {
 		return ip
 	}
-	return getLocalIP()
-}
-
-// getLocalIP returns the non loopback local IP of the host
-func getLocalIP() string {
-	addrs, err := net.InterfaceAddrs()
-	if err != nil {
-		return ""
-	}
-	ip := ""
-	for _, address := range addrs {
-		// check the address type and if it is not a loopback the display it
-		if ipnet, ok := address.(*net.IPNet); ok && ipnet.IP.IsGlobalUnicast() {
-			if util.IsIPv4(ipnet.IP) {
-				return ipnet.IP.String()
-			}
-			// if ipv6 we keep looking for an ipv4 address
-			ip = ipnet.IP.String()
-		}
-	}
-	return ip
+	return util.GetLocalIP()
 }
 
 // GetNetworkHostEntries returns HostEntries for all ips in the network status
diff --git a/vendor/github.com/containers/common/libnetwork/pasta/pasta.go b/vendor/github.com/containers/common/libnetwork/pasta/pasta.go
new file mode 100644
index 0000000000..6a53afe3d4
--- /dev/null
+++ b/vendor/github.com/containers/common/libnetwork/pasta/pasta.go
@@ -0,0 +1,140 @@
+// SPDX-License-Identifier: Apache-2.0
+//
+// pasta.go - Start pasta(1) for user-mode connectivity
+//
+// Copyright (c) 2022 Red Hat GmbH
+// Author: Stefano Brivio <sbrivio@redhat.com>
+
+// This file has been imported from the podman repository
+// (libpod/networking_pasta_linux.go), for the full history see there.
+
+package pasta
+
+import (
+	"errors"
+	"fmt"
+	"os/exec"
+	"strings"
+
+	"github.com/containers/common/libnetwork/types"
+	"github.com/containers/common/pkg/config"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	BinaryName = "pasta"
+)
+
+type SetupOptions struct {
+	// Config used to get pasta options and binary path via HelperBinariesDir
+	Config *config.Config
+	// Netns is the path to the container Netns
+	Netns string
+	// Ports that should be forwarded in the container
+	Ports []types.PortMapping
+	// ExtraOptions are pasta(1) cli options, these will be appended after the
+	// pasta options from containers.conf to allow some form of overwrite.
+	ExtraOptions []string
+}
+
+// Setup start the pasta process for the given netns.
+// The pasta binary is looked up in the HelperBinariesDir and $PATH.
+// Note that there is no need any special cleanup logic, the pasta process will
+// automatically exit when the netns path is deleted.
+func Setup(opts *SetupOptions) error {
+	NoTCPInitPorts := true
+	NoUDPInitPorts := true
+	NoTCPNamespacePorts := true
+	NoUDPNamespacePorts := true
+	NoMapGW := true
+
+	path, err := opts.Config.FindHelperBinary(BinaryName, true)
+	if err != nil {
+		return fmt.Errorf("could not find pasta, the network namespace can't be configured: %w", err)
+	}
+
+	cmdArgs := []string{}
+	cmdArgs = append(cmdArgs, "--config-net")
+
+	for _, i := range opts.Ports {
+		protocols := strings.Split(i.Protocol, ",")
+		for _, protocol := range protocols {
+			var addr string
+
+			if i.HostIP != "" {
+				addr = fmt.Sprintf("%s/", i.HostIP)
+			}
+
+			switch protocol {
+			case "tcp":
+				cmdArgs = append(cmdArgs, "-t")
+			case "udp":
+				cmdArgs = append(cmdArgs, "-u")
+			default:
+				return fmt.Errorf("can't forward protocol: %s", protocol)
+			}
+
+			arg := fmt.Sprintf("%s%d-%d:%d-%d", addr,
+				i.HostPort,
+				i.HostPort+i.Range-1,
+				i.ContainerPort,
+				i.ContainerPort+i.Range-1)
+			cmdArgs = append(cmdArgs, arg)
+		}
+	}
+
+	// first append options set in the config
+	cmdArgs = append(cmdArgs, opts.Config.Network.PastaOptions...)
+	// then append the ones that were set on the cli
+	cmdArgs = append(cmdArgs, opts.ExtraOptions...)
+
+	for i, opt := range cmdArgs {
+		switch opt {
+		case "-t", "--tcp-ports":
+			NoTCPInitPorts = false
+		case "-u", "--udp-ports":
+			NoUDPInitPorts = false
+		case "-T", "--tcp-ns":
+			NoTCPNamespacePorts = false
+		case "-U", "--udp-ns":
+			NoUDPNamespacePorts = false
+		case "--map-gw":
+			NoMapGW = false
+			// not an actual pasta(1) option
+			cmdArgs = append(cmdArgs[:i], cmdArgs[i+1:]...)
+		}
+	}
+
+	if NoTCPInitPorts {
+		cmdArgs = append(cmdArgs, "-t", "none")
+	}
+	if NoUDPInitPorts {
+		cmdArgs = append(cmdArgs, "-u", "none")
+	}
+	if NoTCPNamespacePorts {
+		cmdArgs = append(cmdArgs, "-T", "none")
+	}
+	if NoUDPNamespacePorts {
+		cmdArgs = append(cmdArgs, "-U", "none")
+	}
+	if NoMapGW {
+		cmdArgs = append(cmdArgs, "--no-map-gw")
+	}
+
+	cmdArgs = append(cmdArgs, "--netns", opts.Netns)
+
+	logrus.Debugf("pasta arguments: %s", strings.Join(cmdArgs, " "))
+
+	// pasta forks once ready, and quits once we delete the target namespace
+	_, err = exec.Command(path, cmdArgs...).Output()
+	if err != nil {
+		exitErr := &exec.ExitError{}
+		if errors.As(err, &exitErr) {
+			return fmt.Errorf("pasta failed with exit code %d:\n%s",
+				exitErr.ExitCode(), exitErr.Stderr)
+		}
+		return fmt.Errorf("failed to start pasta: %w", err)
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/containers/common/libnetwork/util/ip.go b/vendor/github.com/containers/common/libnetwork/util/ip.go
index 7c315e3129..1e426926e3 100644
--- a/vendor/github.com/containers/common/libnetwork/util/ip.go
+++ b/vendor/github.com/containers/common/libnetwork/util/ip.go
@@ -54,3 +54,25 @@ func NormalizeIP(ip *net.IP) {
 		*ip = ipv4
 	}
 }
+
+// GetLocalIP returns the first non loopback local IPv4 of the host.
+// If no ipv4 address is found it may return an ipv6 address.
+// When no ip is found and empty string is returned.
+func GetLocalIP() string {
+	addrs, err := net.InterfaceAddrs()
+	if err != nil {
+		return ""
+	}
+	ip := ""
+	for _, address := range addrs {
+		// check the address type and if it is not a loopback the display it
+		if ipnet, ok := address.(*net.IPNet); ok && ipnet.IP.IsGlobalUnicast() {
+			if IsIPv4(ipnet.IP) {
+				return ipnet.IP.String()
+			}
+			// if ipv6 we keep looking for an ipv4 address
+			ip = ipnet.IP.String()
+		}
+	}
+	return ip
+}
diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
index cd057f3982..033b6e6db6 100644
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@@ -441,7 +441,7 @@ func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) {
 	if s.NewWriteScheduler != nil {
 		sc.writeSched = s.NewWriteScheduler()
 	} else {
-		sc.writeSched = NewPriorityWriteScheduler(nil)
+		sc.writeSched = newRoundRobinWriteScheduler()
 	}
 
 	// These start at the RFC-specified defaults. If there is a higher
@@ -2429,7 +2429,7 @@ type requestBody struct {
 	conn          *serverConn
 	closeOnce     sync.Once // for use by Close only
 	sawEOF        bool      // for use by Read only
-	pipe          *pipe     // non-nil if we have a HTTP entity message body
+	pipe          *pipe     // non-nil if we have an HTTP entity message body
 	needsContinue bool      // need to send a 100-continue
 }
 
@@ -2569,7 +2569,8 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
 				clen = ""
 			}
 		}
-		if clen == "" && rws.handlerDone && bodyAllowedForStatus(rws.status) && (len(p) > 0 || !isHeadResp) {
+		_, hasContentLength := rws.snapHeader["Content-Length"]
+		if !hasContentLength && clen == "" && rws.handlerDone && bodyAllowedForStatus(rws.status) && (len(p) > 0 || !isHeadResp) {
 			clen = strconv.Itoa(len(p))
 		}
 		_, hasContentType := rws.snapHeader["Content-Type"]
@@ -2774,7 +2775,7 @@ func (w *responseWriter) FlushError() error {
 		err = rws.bw.Flush()
 	} else {
 		// The bufio.Writer won't call chunkWriter.Write
-		// (writeChunk with zero bytes, so we have to do it
+		// (writeChunk with zero bytes), so we have to do it
 		// ourselves to force the HTTP response header and/or
 		// final DATA frame (with END_STREAM) to be sent.
 		_, err = chunkWriter{rws}.Write(nil)
diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
index ac90a2631c..4f08ccba9a 100644
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@@ -1268,8 +1268,8 @@ func (cc *ClientConn) RoundTrip(req *http.Request) (*http.Response, error) {
 
 	cancelRequest := func(cs *clientStream, err error) error {
 		cs.cc.mu.Lock()
-		defer cs.cc.mu.Unlock()
 		cs.abortStreamLocked(err)
+		bodyClosed := cs.reqBodyClosed
 		if cs.ID != 0 {
 			// This request may have failed because of a problem with the connection,
 			// or for some unrelated reason. (For example, the user might have canceled
@@ -1284,6 +1284,23 @@ func (cc *ClientConn) RoundTrip(req *http.Request) (*http.Response, error) {
 			// will not help.
 			cs.cc.doNotReuse = true
 		}
+		cs.cc.mu.Unlock()
+		// Wait for the request body to be closed.
+		//
+		// If nothing closed the body before now, abortStreamLocked
+		// will have started a goroutine to close it.
+		//
+		// Closing the body before returning avoids a race condition
+		// with net/http checking its readTrackingBody to see if the
+		// body was read from or closed. See golang/go#60041.
+		//
+		// The body is closed in a separate goroutine without the
+		// connection mutex held, but dropping the mutex before waiting
+		// will keep us from holding it indefinitely if the body
+		// close is slow for some reason.
+		if bodyClosed != nil {
+			<-bodyClosed
+		}
 		return err
 	}
 
@@ -1899,7 +1916,7 @@ func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trail
 		// 8.1.2.3 Request Pseudo-Header Fields
 		// The :path pseudo-header field includes the path and query parts of the
 		// target URI (the path-absolute production and optionally a '?' character
-		// followed by the query production (see Sections 3.3 and 3.4 of
+		// followed by the query production, see Sections 3.3 and 3.4 of
 		// [RFC3986]).
 		f(":authority", host)
 		m := req.Method
diff --git a/vendor/golang.org/x/net/http2/writesched.go b/vendor/golang.org/x/net/http2/writesched.go
index c7cd001739..cc893adc29 100644
--- a/vendor/golang.org/x/net/http2/writesched.go
+++ b/vendor/golang.org/x/net/http2/writesched.go
@@ -184,7 +184,8 @@ func (wr *FrameWriteRequest) replyToWriter(err error) {
 
 // writeQueue is used by implementations of WriteScheduler.
 type writeQueue struct {
-	s []FrameWriteRequest
+	s          []FrameWriteRequest
+	prev, next *writeQueue
 }
 
 func (q *writeQueue) empty() bool { return len(q.s) == 0 }
diff --git a/vendor/golang.org/x/net/http2/writesched_roundrobin.go b/vendor/golang.org/x/net/http2/writesched_roundrobin.go
new file mode 100644
index 0000000000..54fe86322d
--- /dev/null
+++ b/vendor/golang.org/x/net/http2/writesched_roundrobin.go
@@ -0,0 +1,119 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package http2
+
+import (
+	"fmt"
+	"math"
+)
+
+type roundRobinWriteScheduler struct {
+	// control contains control frames (SETTINGS, PING, etc.).
+	control writeQueue
+
+	// streams maps stream ID to a queue.
+	streams map[uint32]*writeQueue
+
+	// stream queues are stored in a circular linked list.
+	// head is the next stream to write, or nil if there are no streams open.
+	head *writeQueue
+
+	// pool of empty queues for reuse.
+	queuePool writeQueuePool
+}
+
+// newRoundRobinWriteScheduler constructs a new write scheduler.
+// The round robin scheduler priorizes control frames
+// like SETTINGS and PING over DATA frames.
+// When there are no control frames to send, it performs a round-robin
+// selection from the ready streams.
+func newRoundRobinWriteScheduler() WriteScheduler {
+	ws := &roundRobinWriteScheduler{
+		streams: make(map[uint32]*writeQueue),
+	}
+	return ws
+}
+
+func (ws *roundRobinWriteScheduler) OpenStream(streamID uint32, options OpenStreamOptions) {
+	if ws.streams[streamID] != nil {
+		panic(fmt.Errorf("stream %d already opened", streamID))
+	}
+	q := ws.queuePool.get()
+	ws.streams[streamID] = q
+	if ws.head == nil {
+		ws.head = q
+		q.next = q
+		q.prev = q
+	} else {
+		// Queues are stored in a ring.
+		// Insert the new stream before ws.head, putting it at the end of the list.
+		q.prev = ws.head.prev
+		q.next = ws.head
+		q.prev.next = q
+		q.next.prev = q
+	}
+}
+
+func (ws *roundRobinWriteScheduler) CloseStream(streamID uint32) {
+	q := ws.streams[streamID]
+	if q == nil {
+		return
+	}
+	if q.next == q {
+		// This was the only open stream.
+		ws.head = nil
+	} else {
+		q.prev.next = q.next
+		q.next.prev = q.prev
+		if ws.head == q {
+			ws.head = q.next
+		}
+	}
+	delete(ws.streams, streamID)
+	ws.queuePool.put(q)
+}
+
+func (ws *roundRobinWriteScheduler) AdjustStream(streamID uint32, priority PriorityParam) {}
+
+func (ws *roundRobinWriteScheduler) Push(wr FrameWriteRequest) {
+	if wr.isControl() {
+		ws.control.push(wr)
+		return
+	}
+	q := ws.streams[wr.StreamID()]
+	if q == nil {
+		// This is a closed stream.
+		// wr should not be a HEADERS or DATA frame.
+		// We push the request onto the control queue.
+		if wr.DataSize() > 0 {
+			panic("add DATA on non-open stream")
+		}
+		ws.control.push(wr)
+		return
+	}
+	q.push(wr)
+}
+
+func (ws *roundRobinWriteScheduler) Pop() (FrameWriteRequest, bool) {
+	// Control and RST_STREAM frames first.
+	if !ws.control.empty() {
+		return ws.control.shift(), true
+	}
+	if ws.head == nil {
+		return FrameWriteRequest{}, false
+	}
+	q := ws.head
+	for {
+		if wr, ok := q.consume(math.MaxInt32); ok {
+			ws.head = q.next
+			return wr, true
+		}
+		q = q.next
+		if q == ws.head {
+			break
+		}
+	}
+	return FrameWriteRequest{}, false
+}
diff --git a/vendor/golang.org/x/sync/errgroup/errgroup.go b/vendor/golang.org/x/sync/errgroup/errgroup.go
index cbee7a4e23..b18efb743f 100644
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@@ -20,7 +20,7 @@ type token struct{}
 // A zero Group is valid, has no limit on the number of active goroutines,
 // and does not cancel on error.
 type Group struct {
-	cancel func()
+	cancel func(error)
 
 	wg sync.WaitGroup
 
@@ -43,7 +43,7 @@ func (g *Group) done() {
 // returns a non-nil error or the first time Wait returns, whichever occurs
 // first.
 func WithContext(ctx context.Context) (*Group, context.Context) {
-	ctx, cancel := context.WithCancel(ctx)
+	ctx, cancel := withCancelCause(ctx)
 	return &Group{cancel: cancel}, ctx
 }
 
@@ -52,7 +52,7 @@ func WithContext(ctx context.Context) (*Group, context.Context) {
 func (g *Group) Wait() error {
 	g.wg.Wait()
 	if g.cancel != nil {
-		g.cancel()
+		g.cancel(g.err)
 	}
 	return g.err
 }
@@ -76,7 +76,7 @@ func (g *Group) Go(f func() error) {
 			g.errOnce.Do(func() {
 				g.err = err
 				if g.cancel != nil {
-					g.cancel()
+					g.cancel(g.err)
 				}
 			})
 		}
@@ -105,7 +105,7 @@ func (g *Group) TryGo(f func() error) bool {
 			g.errOnce.Do(func() {
 				g.err = err
 				if g.cancel != nil {
-					g.cancel()
+					g.cancel(g.err)
 				}
 			})
 		}
diff --git a/vendor/golang.org/x/sync/errgroup/go120.go b/vendor/golang.org/x/sync/errgroup/go120.go
new file mode 100644
index 0000000000..7d419d3760
--- /dev/null
+++ b/vendor/golang.org/x/sync/errgroup/go120.go
@@ -0,0 +1,14 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.20
+// +build go1.20
+
+package errgroup
+
+import "context"
+
+func withCancelCause(parent context.Context) (context.Context, func(error)) {
+	return context.WithCancelCause(parent)
+}
diff --git a/vendor/golang.org/x/sync/errgroup/pre_go120.go b/vendor/golang.org/x/sync/errgroup/pre_go120.go
new file mode 100644
index 0000000000..1795c18ace
--- /dev/null
+++ b/vendor/golang.org/x/sync/errgroup/pre_go120.go
@@ -0,0 +1,15 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.20
+// +build !go1.20
+
+package errgroup
+
+import "context"
+
+func withCancelCause(parent context.Context) (context.Context, func(error)) {
+	ctx, cancel := context.WithCancel(parent)
+	return ctx, func(error) { cancel() }
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 4266528787..a64e2e8cef 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -125,7 +125,7 @@ github.com/containers/buildah/pkg/rusage
 github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/util
-# github.com/containers/common v0.53.1-0.20230613173441-e1ea4d9a74e5
+# github.com/containers/common v0.53.1-0.20230615101243-20def0054c6e
 ## explicit; go 1.18
 github.com/containers/common/libimage
 github.com/containers/common/libimage/define
@@ -135,6 +135,7 @@ github.com/containers/common/libnetwork/etchosts
 github.com/containers/common/libnetwork/internal/util
 github.com/containers/common/libnetwork/netavark
 github.com/containers/common/libnetwork/network
+github.com/containers/common/libnetwork/pasta
 github.com/containers/common/libnetwork/resolvconf
 github.com/containers/common/libnetwork/types
 github.com/containers/common/libnetwork/util
@@ -179,7 +180,7 @@ github.com/containers/common/version
 # github.com/containers/conmon v2.0.20+incompatible
 ## explicit
 github.com/containers/conmon/runner/config
-# github.com/containers/image/v5 v5.25.1-0.20230613062531-9e44c062ca20
+# github.com/containers/image/v5 v5.25.1-0.20230613183705-07ced6137083
 ## explicit; go 1.18
 github.com/containers/image/v5/copy
 github.com/containers/image/v5/directory
@@ -840,7 +841,7 @@ github.com/stefanberger/go-pkcs11uri
 ## explicit; go 1.20
 github.com/stretchr/testify/assert
 github.com/stretchr/testify/require
-# github.com/sylabs/sif/v2 v2.11.4
+# github.com/sylabs/sif/v2 v2.11.5
 ## explicit; go 1.19
 github.com/sylabs/sif/v2/pkg/sif
 # github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
@@ -952,7 +953,7 @@ golang.org/x/exp/slices
 ## explicit; go 1.17
 golang.org/x/mod/semver
 golang.org/x/mod/sumdb/note
-# golang.org/x/net v0.10.0
+# golang.org/x/net v0.11.0
 ## explicit; go 1.17
 golang.org/x/net/context
 golang.org/x/net/html
@@ -966,12 +967,12 @@ golang.org/x/net/internal/socks
 golang.org/x/net/internal/timeseries
 golang.org/x/net/proxy
 golang.org/x/net/trace
-# golang.org/x/oauth2 v0.8.0
+# golang.org/x/oauth2 v0.9.0
 ## explicit; go 1.17
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
-# golang.org/x/sync v0.2.0
-## explicit
+# golang.org/x/sync v0.3.0
+## explicit; go 1.17
 golang.org/x/sync/errgroup
 golang.org/x/sync/semaphore
 # golang.org/x/sys v0.9.0