diff options
| -rw-r--r-- | etc/nftables.conf | 28 |
1 files changed, 9 insertions, 19 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index c1a37c5..e4f68ed 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -22,6 +22,12 @@ table inet filter { iifname "virbr0" udp dport { 53, 67 } accept comment "libvirt: DHCP+DNS from guests" iifname "virbr0" tcp dport 53 accept comment "libvirt: DNS over TCP from guests" + # Waydroid's NAT bridge: same pattern as libvirt. The Android container's + # DhcpClient broadcasts DHCPDISCOVER on waydroid0; without this rule it's + # dropped before dnsmasq sees it and the container never gets an IP. + iifname "waydroid0" udp dport { 53, 67 } accept comment "waydroid: DHCP+DNS from container" + iifname "waydroid0" tcp dport 53 accept comment "waydroid: DNS over TCP from container" + pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter } @@ -39,26 +45,10 @@ table inet filter { iifname "virbr0" accept comment "libvirt: guest egress" oifname "virbr0" ct state established,related accept comment "libvirt: guest return" - # Waydroid's NAT bridge: same pattern as libvirt. Unlike libvirt, waydroid - # does NOT install its own MASQUERADE rule reliably (it tries via the - # legacy iptables binary which isn't present), so we both forward-accept - # here AND install MASQUERADE in the ip nat table below. + # Waydroid's NAT bridge: same pattern as libvirt. Waydroid's container + # service installs MASQUERADE itself via iptables-nft compat, so no + # explicit nat table is needed here -- only the forward-chain accepts. iifname "waydroid0" accept comment "waydroid: guest egress" oifname "waydroid0" ct state established,related accept comment "waydroid: guest return" } } - -# NAT for waydroid's Android container. The waydroid-container service is -# supposed to add this via iptables but ships only the iptables-legacy code -# path; on a pure nftables host (no iptables-nft compat shim active) the rule -# never lands. Declaring it here is deterministic and survives reloads. -destroy table ip nat -table ip nat { - chain postrouting { - type nat hook postrouting priority srcnat - policy accept - - ip saddr 192.168.240.0/24 oifname != "waydroid0" masquerade \ - comment "waydroid: MASQUERADE container egress" - } -} |