Ah, that's good to know and we should definitely aim at refreshing nftables prior to doing any amount of testing on the wrappers.
The failure I've seen for LXD specifically was around complex protocol parsing (IPv6 router advertisements I believe) through ebtables, so not a very usual thing to do, but something LXD needs to do to prevent some cases of IP spoofing between containers with isolated networking.
Ah, that's good to know and we should definitely aim at refreshing nftables prior to doing any amount of testing on the wrappers.
The failure I've seen for LXD specifically was around complex protocol parsing (IPv6 router advertisements I believe) through ebtables, so not a very usual thing to do, but something LXD needs to do to prevent some cases of IP spoofing between containers with isolated networking.