For my use cases, this is a good start:
--- usr/libexec/lxc/lxc-net 2025-01-03 01:53:50.000000000 +0100
+++ /usr/libexec/lxc/lxc-net 2025-04-23 10:35:59.316383223 +0200
@@ -98,7 +98,9 @@
NFT_RULESET="${NFT_RULESET};
add table inet lxc;
flush table inet lxc;
-add chain inet lxc input { type filter hook input priority 0; };
+add chain inet lxc input { type filter hook input priority 0; policy
drop; };
+add rule inet lxc input iifname lo accept;
+add rule inet lxc input ct state established,related accept;
add rule inet lxc input iifname ${LXC_BRIDGE} udp dport { 53, 67 } accept;
add rule inet lxc input iifname ${LXC_BRIDGE} tcp dport { 53, 67 } accept;
add chain inet lxc forward { type filter hook forward priority 0; };
The diff was generated between a locally extracted package and the
production version, that's probably why the paths might be strange, and
I don't know if the extracted version is present in the source package.
.Henrik
