2 files changed, 10 insertions, 2 deletions

diff --git a/etc/nftables.conf b/etc/nftables.conf
index f22150e..dd5e09c 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -38,5 +38,11 @@ table inet filter {
     # load before libvirtd has created virbr0 at boot.
     iifname "virbr0" accept comment "libvirt: guest egress"
     oifname "virbr0" ct state established,related accept comment "libvirt: guest return"
+
+    # Waydroid's NAT bridge: same pattern as libvirt. Waydroid configures its
+    # own MASQUERADE in nat/POSTROUTING but does NOT add forward accepts, so
+    # without these the Android container has no outbound network.
+    iifname "waydroid0" accept comment "waydroid: guest egress"
+    oifname "waydroid0" ct state established,related accept comment "waydroid: guest return"
   }
 }
diff --git a/etc/systemd/network/30-ethernet-bond0.network b/etc/systemd/network/30-ethernet-bond0.network
index 5aab8bf..32d6d40 100644
--- a/etc/systemd/network/30-ethernet-bond0.network
+++ b/etc/systemd/network/30-ethernet-bond0.network
@@ -8,11 +8,13 @@
 #   tap*   — generic TAP interfaces
 #   veth*  — container/namespace veth pairs
 #   docker*, br-*, podman* — container engine bridges
+#   waydroid* — waydroid's Android container bridge (waydroid0)
 # Without these, e.g. libvirt VM taps get pulled into bond0 and lose their bridge,
-# breaking VM networking (DHCP, NAT).
+# breaking VM networking (DHCP, NAT). Waydroid is especially catastrophic:
+# enslaving waydroid0 into bond0 takes down the host's default route.
 [Match]
 Type=ether
-Name=!vnet* !virbr* !tap* !veth* !docker* !br-* !podman*
+Name=!vnet* !virbr* !tap* !veth* !docker* !br-* !podman* !waydroid*
 
 [Network]
 Bond=bond0