fix(net): keep waydroid0 out of bond0, allow it through nftables

systemd-networkd's Type=ether matcher was enslaving waydroid0 into
bond0 the moment 'waydroid session start' ran, taking down the host's
default route. Mirror the libvirt/docker negation pattern.

Also mirror the existing virbr0 forward accepts for waydroid0 so the
Android container can actually reach the internet through MASQUERADE.

1 files changed, 4 insertions, 2 deletions

diff --git a/etc/systemd/network/30-ethernet-bond0.network b/etc/systemd/network/30-ethernet-bond0.network
index 5aab8bf..32d6d40 100644
--- a/etc/systemd/network/30-ethernet-bond0.network
+++ b/etc/systemd/network/30-ethernet-bond0.network
@@ -8,11 +8,13 @@
 #   tap*   — generic TAP interfaces
 #   veth*  — container/namespace veth pairs
 #   docker*, br-*, podman* — container engine bridges
+#   waydroid* — waydroid's Android container bridge (waydroid0)
 # Without these, e.g. libvirt VM taps get pulled into bond0 and lose their bridge,
-# breaking VM networking (DHCP, NAT).
+# breaking VM networking (DHCP, NAT). Waydroid is especially catastrophic:
+# enslaving waydroid0 into bond0 takes down the host's default route.
 [Match]
 Type=ether
-Name=!vnet* !virbr* !tap* !veth* !docker* !br-* !podman*
+Name=!vnet* !virbr* !tap* !veth* !docker* !br-* !podman* !waydroid*
 
 [Network]
 Bond=bond0