fix(networkd): exclude virtual taps/bridges from bond0 enslavement

Type=ether matches ALL L2 ethernet interfaces, including libvirt-created
vnet* tap devices. Without Name= negations, when a VM starts its tap is
pulled into bond0 instead of staying with virbr0, killing DHCP/NAT for
the guest (Windows ends up with a 169.254.x APIPA address).

Add Name= negations to skip libvirt taps/bridges, generic taps, and
common container engine virtual interfaces.

1 files changed, 10 insertions, 0 deletions

diff --git a/etc/systemd/network/30-ethernet-bond0.network b/etc/systemd/network/30-ethernet-bond0.network
index 39c4c7a..5aab8bf 100644
--- a/etc/systemd/network/30-ethernet-bond0.network
+++ b/etc/systemd/network/30-ethernet-bond0.network
@@ -1,8 +1,18 @@
 # NOTE: Type=ether matches ALL ethernet interfaces. Any future USB/Thunderbolt
 # ethernet dongle would be auto-enslaved into bond0. If that becomes a problem,
 # narrow the [Match] section to MACAddress= or a persistent Name= (e.g. enp*s0).
+#
+# Name= negations below exclude virtual interfaces that should NEVER be enslaved:
+#   vnet*  — libvirt tap devices (VM NICs)
+#   virbr* — libvirt bridges
+#   tap*   — generic TAP interfaces
+#   veth*  — container/namespace veth pairs
+#   docker*, br-*, podman* — container engine bridges
+# Without these, e.g. libvirt VM taps get pulled into bond0 and lose their bridge,
+# breaking VM networking (DHCP, NAT).
 [Match]
 Type=ether
+Name=!vnet* !virbr* !tap* !veth* !docker* !br-* !podman*
 
 [Network]
 Bond=bond0