From 18277fc1ec921dfcfa61c0b2f0b40fb62cfa070f Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Fri, 22 May 2026 14:28:17 +0100
Subject: fix(net): keep waydroid0 out of bond0, allow it through nftables

systemd-networkd's Type=ether matcher was enslaving waydroid0 into
bond0 the moment 'waydroid session start' ran, taking down the host's
default route. Mirror the libvirt/docker negation pattern.

Also mirror the existing virbr0 forward accepts for waydroid0 so the
Android container can actually reach the internet through MASQUERADE.
---
 etc/nftables.conf                             | 6 ++++++
 etc/systemd/network/30-ethernet-bond0.network | 6 ++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/etc/nftables.conf b/etc/nftables.conf
index f22150e..dd5e09c 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -38,5 +38,11 @@ table inet filter {
     # load before libvirtd has created virbr0 at boot.
     iifname "virbr0" accept comment "libvirt: guest egress"
     oifname "virbr0" ct state established,related accept comment "libvirt: guest return"
+
+    # Waydroid's NAT bridge: same pattern as libvirt. Waydroid configures its
+    # own MASQUERADE in nat/POSTROUTING but does NOT add forward accepts, so
+    # without these the Android container has no outbound network.
+    iifname "waydroid0" accept comment "waydroid: guest egress"
+    oifname "waydroid0" ct state established,related accept comment "waydroid: guest return"
   }
 }
diff --git a/etc/systemd/network/30-ethernet-bond0.network b/etc/systemd/network/30-ethernet-bond0.network
index 5aab8bf..32d6d40 100644
--- a/etc/systemd/network/30-ethernet-bond0.network
+++ b/etc/systemd/network/30-ethernet-bond0.network
@@ -8,11 +8,13 @@
 #   tap*   — generic TAP interfaces
 #   veth*  — container/namespace veth pairs
 #   docker*, br-*, podman* — container engine bridges
+#   waydroid* — waydroid's Android container bridge (waydroid0)
 # Without these, e.g. libvirt VM taps get pulled into bond0 and lose their bridge,
-# breaking VM networking (DHCP, NAT).
+# breaking VM networking (DHCP, NAT). Waydroid is especially catastrophic:
+# enslaving waydroid0 into bond0 takes down the host's default route.
 [Match]
 Type=ether
-Name=!vnet* !virbr* !tap* !veth* !docker* !br-* !podman*
+Name=!vnet* !virbr* !tap* !veth* !docker* !br-* !podman* !waydroid*
 
 [Network]
 Bond=bond0
-- 
cgit v1.3.1