I really like rootless podman, but there is one quirk in that if you want to preserve the original source IP address (e.g. for web server logs), you have to use a workaround which has a performance penalty.
That workaround is not needed if the web server container supports socket activation. Due to the fork-exec architecture of Podman, the socket-activated socket is inherited by the container process. Network traffic sent over this socket-activated socket has native performance.
https://github.com/containers/podman/blob/main/docs/tutorial...
https://github.com/containers/podman/issues/10884
https://github.com/containers/podman/pull/9052
https://github.com/containers/podman/pull/11177