diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-22 14:28:17 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-22 14:28:17 +0100 |
| commit | 18277fc1ec921dfcfa61c0b2f0b40fb62cfa070f (patch) | |
| tree | 8e7e3110d9a65475b451951b8cc9e1f87651bc25 /etc/nftables.conf | |
| parent | 15cd2316344b1c40fe2e5189a02a8a0ac626bbb0 (diff) | |
| download | dotfiles-18277fc1ec921dfcfa61c0b2f0b40fb62cfa070f.tar.gz dotfiles-18277fc1ec921dfcfa61c0b2f0b40fb62cfa070f.tar.bz2 dotfiles-18277fc1ec921dfcfa61c0b2f0b40fb62cfa070f.zip | |
fix(net): keep waydroid0 out of bond0, allow it through nftables
systemd-networkd's Type=ether matcher was enslaving waydroid0 into
bond0 the moment 'waydroid session start' ran, taking down the host's
default route. Mirror the libvirt/docker negation pattern.
Also mirror the existing virbr0 forward accepts for waydroid0 so the
Android container can actually reach the internet through MASQUERADE.
Diffstat (limited to 'etc/nftables.conf')
| -rw-r--r-- | etc/nftables.conf | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index f22150e..dd5e09c 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -38,5 +38,11 @@ table inet filter { # load before libvirtd has created virbr0 at boot. iifname "virbr0" accept comment "libvirt: guest egress" oifname "virbr0" ct state established,related accept comment "libvirt: guest return" + + # Waydroid's NAT bridge: same pattern as libvirt. Waydroid configures its + # own MASQUERADE in nat/POSTROUTING but does NOT add forward accepts, so + # without these the Android container has no outbound network. + iifname "waydroid0" accept comment "waydroid: guest egress" + oifname "waydroid0" ct state established,related accept comment "waydroid: guest return" } } |