# {{ ansible_managed }} # Allow container forwarding through base's default-deny forward chain (ADR-025 / FRICTION # 2026-06-17 #1). Appended to base's `table inet filter` / `chain forward` via the # /etc/nftables.d/*.nft include, and loaded by nftables.service at boot — exactly when the # bug bit (default-deny forward loading before dockerd on reboot). table inet filter { chain forward { ct state established,related accept iifname "docker0" accept oifname "docker0" accept iifname "br-*" accept oifname "br-*" accept } }