From 9e9781b7f5b70893acefd50817d8bfa233d7362a Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Fri, 22 May 2026 14:28:18 +0100 Subject: fix(nftables): add MASQUERADE for waydroid0 waydroid-container ships only the iptables-legacy code path for adding its POSTROUTING MASQUERADE; on a host with pure nftables the rule never lands and the Android container has no outbound NAT. Declare it explicitly in our nftables.conf for determinism. --- etc/nftables.conf | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/etc/nftables.conf b/etc/nftables.conf index dd5e09c..c1a37c5 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -39,10 +39,26 @@ table inet filter { iifname "virbr0" accept comment "libvirt: guest egress" oifname "virbr0" ct state established,related accept comment "libvirt: guest return" - # Waydroid's NAT bridge: same pattern as libvirt. Waydroid configures its - # own MASQUERADE in nat/POSTROUTING but does NOT add forward accepts, so - # without these the Android container has no outbound network. + # Waydroid's NAT bridge: same pattern as libvirt. Unlike libvirt, waydroid + # does NOT install its own MASQUERADE rule reliably (it tries via the + # legacy iptables binary which isn't present), so we both forward-accept + # here AND install MASQUERADE in the ip nat table below. iifname "waydroid0" accept comment "waydroid: guest egress" oifname "waydroid0" ct state established,related accept comment "waydroid: guest return" } } + +# NAT for waydroid's Android container. The waydroid-container service is +# supposed to add this via iptables but ships only the iptables-legacy code +# path; on a pure nftables host (no iptables-nft compat shim active) the rule +# never lands. Declaring it here is deterministic and survives reloads. +destroy table ip nat +table ip nat { + chain postrouting { + type nat hook postrouting priority srcnat + policy accept + + ip saddr 192.168.240.0/24 oifname != "waydroid0" masquerade \ + comment "waydroid: MASQUERADE container egress" + } +} -- cgit v1.3.1