From c45811acf94d8a94c2544e5d6650af950a62ca1b Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Thu, 30 Apr 2026 20:47:46 +0100
Subject: [PATCH] router: accept docker0 on input chain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Containers connecting to host services on 10.0.0.1 (e.g. Profilarr → Radarr
at 10.0.0.1:7878) hit the input chain, not forward, because the destination
is a local IP. The forward chain already trusts docker0 for outbound; this
adds the matching input rule so the return path stops getting dropped.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 services/router.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/services/router.nix b/services/router.nix
index 08cdbab..abfa20e 100644
--- a/services/router.nix
+++ b/services/router.nix
@@ -111,6 +111,11 @@ in
             iifname "lo" accept
             # LAN is trusted
             iifname "eth0" accept
+            # Docker containers reaching host services (e.g. Profilarr → Radarr
+            # on 10.0.0.1:7878). The forward chain already trusts docker0 for
+            # outbound; this is the matching INPUT rule for traffic landing on
+            # the host's own LAN/bridge IPs from a container.
+            iifname "docker0" accept
             # Phase 1: also trust the existing eero subnet on eno1 so SSH
             # and AdGuard DNS keep working during the transition.
             ${legacyTrustRules}