Android networking (except for DNS) does not work with nftables, but works with iptables

[benwaffle]

When running with the nftables networking, I saw in waydroid logcat that hosts were being resolved, but http/https connections were not connecting.

Switching LXC_USE_NFT to "false" in waydroid-net.sh fixed networking for me.

[xypd]

How are you changing this? Or is this before compiling? I can't get network access at all.

Would something like this work? waydroid prop set LXC_USE_NFT false

[benwaffle]

Not compiling, i installed it from the AUR and manually edited the waydroid-net.sh file wherever it was placed in /usr

[xypd]

Okay cool thanks. Will give it a shot.

[xypd]

Btw, found this on the postmarketOS wiki

Troubleshooting Networking

The container may not have access to the Internet out of the box. To access the network you need to allow access from and to the container via the firewall (otherwise DHCP will be blocked and the container will never get the IP) and configure a default gateway in the waydroid container (gateway IP is what your host device has on waydroid0 interface):

$ echo "ip route add default via 192.168.250.1" | sudo waydroid shell

Have not tried it yet, so not sure if this is PMOS specific

[benwaffle]

Inside the waydroid shell you csn run ip a to check if the container got an IP via dhcp

[xypd]

Sadly nothing is seeming to work. Will put it on pause till I have another block of time.

I probably need to work on my container knowledge, which would be helpful on this and another future project.

[trn1ty]

Also having this issue on PMOS edge.

[erfanoabdi]

22f671b
we disabled nft

[xypd]

I tried this manually changing this config, but still not working. Should I remove and reinstall everything, @erfanoabdi ?

And if so, what is the best way to uninstall? There are pieces all over the place.

[erfanoabdi]

not needed to uninstall
it should have worked with just a script change
i just disabled it as @benwaffle confirms it works without nft
i highly like to enable it again if it doesn’t change anything, because broke internet for other users

[SameExpert]

To make internet on WayDroid working with nftables, an nftables rule in /etc/nftables.d is needed to allow waydroid0 (virtual) network interface to access internet. This is for good in terms of security, as I believe. I highly recommend to use nftables and create an nftables rule:

#!/usr/sbin/nft -f
table inet filter {
    chain input {
        iifname "waydroid0" accept comment "Allow incoming network traffic from WayDroid"
    }
    chain forward {
        iifname "waydroid0" accept comment "Allow outgoing network traffic from WayDroid"
        ct state {established, related} counter accept comment "accept established connections"
    }
}

[pizdjuk]

I add the snippet above to /etc/nftables.conf, restarted nftables.service but nothing happened. Waydroid still not has connetcion.

And if I change LXC_USE_NFT to false, the session doesnt start at all.

waydroid log says that "failed to attach "vethxxxxxx" to bridge "waydroid0", bridge interface doesn't exists

Distro: Manjaro ARM on Pinephone

[SameExpert]

I add the snippet above to /etc/nftables.conf, restarted nftables.service but nothing happened. Waydroid still not has connetcion.

If you add it to /etc/nftables.d/51_waydroid.nft (name it whatever but with .nft extension) it should work. Alpine added it in this commit. Now internet works for me with LXC_USE_NFT="true", but I need to type this every time I start WayDroid:

$ echo "ip route add default via 192.168.250.1" | sudo waydroid shell

And if I change LXC_USE_NFT to false, the session doesnt start at all.

waydroid log says that "failed to attach "vethxxxxxx" to bridge "waydroid0", bridge interface doesn't exists

That happens for me too, because it falls back to iptables and demands ip_tables module which is missing in the kernel. Regarding this I opened #178. So using LXC_USE_NFT="true" works for me.