From c2cb89ddc5a05859bbb541ae0fc110eb43f8296e Mon Sep 17 00:00:00 2001
From: "CanbiZ (MickLesk)" <47820557+MickLesk@users.noreply.github.com>
Date: Mon, 9 Feb 2026 14:11:07 +0100
Subject: [PATCH] fix(netbird): add systemd ordering to start after Docker
 (#11716)

When Docker is installed in the same LXC, Docker sets the FORWARD chain
policy to DROP on startup. If Netbird starts before Docker finishes
initializing its iptables rules, Docker overrides the Netbird routing
rules, causing traffic routing to fail despite the tunnel being up.

Add a systemd drop-in override that ensures netbird.service starts after
docker.service (only if Docker is installed). This prevents the race
condition and ensures correct iptables ordering after reboot.

Closes #11354
---
 tools/addon/add-netbird-lxc.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tools/addon/add-netbird-lxc.sh b/tools/addon/add-netbird-lxc.sh
index 4056c5776..7b604c954 100644
--- a/tools/addon/add-netbird-lxc.sh
+++ b/tools/addon/add-netbird-lxc.sh
@@ -84,6 +84,15 @@ curl -fsSL "https://pkgs.netbird.io/debian/public.key" | gpg --dearmor >/usr/sha
 echo "deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main" >/etc/apt/sources.list.d/netbird.list
 apt-get update &>/dev/null
 apt-get install -y netbird-ui &>/dev/null
+if systemctl list-unit-files docker.service &>/dev/null; then
+  mkdir -p /etc/systemd/system/netbird.service.d
+  cat <<OVERRIDE >/etc/systemd/system/netbird.service.d/after-docker.conf
+[Unit]
+After=docker.service
+Wants=docker.service
+OVERRIDE
+  systemctl daemon-reload
+fi
 '
 msg "\e[1;32m ✔ Installed NetBird.\e[0m"
 sleep 2