Comment 7 for bug 1917920

The nat fiddles are not visible inside the container network namespace. Thus I am wondering if there is an odd interaction between namespace, nftables based iptables vs legacy iptables. I.e. whilst the host is configured using legacy iptables, maybe the lxd guests must be using legacy iptables too.

I'll experiment to see if forcing to simply only use iptables-legacy inside the lxd guest is good enough for now. Despite the hosts getting upgraded to bionic. Cause it's only groovy that started to use nftables based iptables.