Different results between rootful and rootless containers with --internal network

[xelarro]

So if I run the example below (rootless):

podman network create --internal int_net
podman run -dt --name nginx_internal -p 8080:80 --network int_net docker.io/nginx
curl 127.0.0.1:8080

I get the default nginx html page from curl, so the published port works. But if I do the above but as root, the curl command doesn't show any result and just hangs until I manually stop it.
When doing it as root, if I check the command:

iptables -nvL -t nat

I can see that there isn't any rule for the port that was published but yet I can see via ss -lt that there is something listening in the port 8080.
Also (in the rootful example) if I try to curl the container internal ip curl 10.89.0.2:80 I get the expected nginx default html.

I'm confused about what is the expected result, being able to publish ports from a container in a network created with the --internal flag like it's possible in the rootless example, being able to do it but without actually working like expected in the rootful one or both since they use different network backends and they respond differently to the --internal network tag?

Thank you for your help.

[xelarro]

So if anyone have this issue in the future, the reason for the rootful example not working is because netavark doesn't create the firewall rules that are needed for the example to work, for networks that are created with the flag --internal by design.
But it's possible to create a network without the posibility to access a external network by creating the network without --internal and using the flag --opt no_default_route=1. This has a similar effect (at least for my understanding) and doesn't allow the container to access internet since there is no routes defined in it.
So now I can run:

podman network create -o=no_default_route=1 internal
podman run -dt --name nginx_internal --network internal -p 8090:80 docker.io/nginx
curl localhost:8090 | head -n 4
   <!DOCTYPE html>
   <html>
   <head>
   <title>Welcome to nginx!</title>
podman exec nginx_internal curl github.com
   curl: (7) Failed to connect to github.com port 80 after 73 ms: Couldn't connect to server

And get the result I get when running a container rootless. Note that the option no_default_route is only possible in versions of netavark >= 1.7.0

Edit: Actually even tho accessing the published port from localhost works, it doesn't work if you try to access it from the outside, so the problem is still not solved as with the rootless example, it is possible to access the container from the outside.