fix(nftables): add MASQUERADE for waydroid0

waydroid-container ships only the iptables-legacy code path for adding
its POSTROUTING MASQUERADE; on a host with pure nftables the rule
never lands and the Android container has no outbound NAT. Declare it
explicitly in our nftables.conf for determinism.

1 files changed, 19 insertions, 3 deletions

diff --git a/etc/nftables.conf b/etc/nftables.conf
index dd5e09c..c1a37c5 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -39,10 +39,26 @@ table inet filter {
     iifname "virbr0" accept comment "libvirt: guest egress"
     oifname "virbr0" ct state established,related accept comment "libvirt: guest return"
 
-    # Waydroid's NAT bridge: same pattern as libvirt. Waydroid configures its
-    # own MASQUERADE in nat/POSTROUTING but does NOT add forward accepts, so
-    # without these the Android container has no outbound network.
+    # Waydroid's NAT bridge: same pattern as libvirt. Unlike libvirt, waydroid
+    # does NOT install its own MASQUERADE rule reliably (it tries via the
+    # legacy iptables binary which isn't present), so we both forward-accept
+    # here AND install MASQUERADE in the ip nat table below.
     iifname "waydroid0" accept comment "waydroid: guest egress"
     oifname "waydroid0" ct state established,related accept comment "waydroid: guest return"
   }
 }
+
+# NAT for waydroid's Android container. The waydroid-container service is
+# supposed to add this via iptables but ships only the iptables-legacy code
+# path; on a pure nftables host (no iptables-nft compat shim active) the rule
+# never lands. Declaring it here is deterministic and survives reloads.
+destroy table ip nat
+table ip nat {
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+
+    ip saddr 192.168.240.0/24 oifname != "waydroid0" masquerade \
+      comment "waydroid: MASQUERADE container egress"
+  }
+}