TURN server check fails

[fluchtkapsel]

Tip

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Steps to reproduce

1. Configure Talk app to use our coturn installation.

Expected behaviour

TURN server connection should be verified

Actual behaviour

The "pulse" icon changes to a a red exclamation mark in a red octagon.

Talk app

Talk app version: 23.0.4

Custom Signaling server configured: yes, 4e6bfc963c7350940023f3af4ac9c8cd0400cb4f

Custom TURN server configured: yes

Custom STUN server configured: yes

Browser

Microphone available: yes

Camera available: yes

Operating system: Fedora

Browser name: Vivaldi

Browser version: Version 8.0.4033.34 (Offizieller Build) (64-Bit)
Chromium Version 148.0.7778.183

Browser log

Details

``` Creating PeerConnection with {iceServers: Array(1), iceTransportPolicy: 'relay'}iceServers: Array(1)0: {username: '1779792926:turn-test-user', credential: '2VyXLMqbaM54DwwPQsX/D5x6IV4=', urls: Array(4)}length: 1[[Prototype]]: Array(0)iceTransportPolicy: "relay"[[Prototype]]: Object TurnServer.vue:342 Received candidates []length: 0[[Prototype]]: Array(0) ```

Server configuration

root@wolke-nextcloud:~# time sudo -u www-data php /var/www/wolke.wikimedia.de/occ app:install issuetemplate
Error: App "Issue Template" cannot be installed because it is not compatible with this version of the server.

Operating system: Debian GNU/Linux 13 (trixie)

Web server: Nginx

Database: Maria

PHP version: 8.4

Nextcloud Version: 33.0.3

List of activated apps:

Details

Enabled:
  - activity: 6.0.0
  - admin_audit: 1.23.0
  - app_api: 33.0.0
  - appointments: 2.7.3
  - bruteforcesettings: 6.0.0
  - calendar: 6.4.2
  - circles: 33.0.0
  - cloud_federation_api: 1.17.0
  - comments: 1.23.0
  - contacts: 8.5.0
  - contactsinteraction: 1.14.1
  - cospend: 4.0.0
  - dashboard: 7.13.0
  - dav: 1.36.0
  - deck: 1.17.1
  - doom_nextcloud: 1.0.8
  - federatedfilesharing: 1.23.0
  - federation: 1.23.0
  - files: 2.5.0
  - files_downloadlimit: 5.1.0
  - files_external: 1.25.1
  - files_lock: 33.0.3
  - files_pdfviewer: 6.0.0
  - files_reminders: 1.6.0
  - files_sharing: 1.25.2
  - files_trashbin: 1.23.0
  - files_versions: 1.26.0
  - firstrunwizard: 6.0.0
  - forms: 5.2.8
  - groupfolders: 21.0.7
  - impersonate: 4.0.0
  - integration_mattermost: 3.1.0
  - ldap_write_support: 1.15.0
  - logreader: 6.0.0
  - lookup_server_connector: 1.21.0
  - mail: 5.8.0
  - nextcloud_announcements: 5.0.0
  - notes: 5.0.0
  - notifications: 6.0.0
  - oauth2: 1.21.0
  - ownershiptransfer: 1.4.0
  - password_policy: 5.0.0
  - photos: 6.0.0
  - privacy: 5.0.0
  - profile: 1.2.0
  - provisioning_api: 1.23.0
  - qownnotesapi: 26.2.2
  - recommendations: 6.0.0
  - related_resources: 4.0.0
  - richdocuments: 10.1.3
  - serverinfo: 5.0.0
  - settings: 1.16.0
  - sharebymail: 1.23.0
  - spreed: 23.0.4
  - support: 5.0.0
  - survey_client: 5.0.0
  - systemtags: 1.23.0
  - tasks: 0.17.1
  - text: 7.0.1
  - theming: 2.8.0
  - timemanager: 0.3.23
  - twofactor_backupcodes: 1.22.0
  - twofactor_nextcloud_notification: 7.0.0
  - twofactor_totp: 15.0.0
  - updatenotification: 1.23.0
  - user_ldap: 1.24.0
  - user_status: 1.13.0
  - viewer: 6.0.0
  - weather_status: 1.13.0
  - webhook_listeners: 1.5.0
  - whiteboard: 1.5.8
  - workflowengine: 2.15.0

Nextcloud configuration:

Details

{
    "system": {
        "trashbin_retention_obligation": "auto, 30",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "wolke.wikimedia.de",
            "cloud.wikimedia.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/wolke.wikimedia.de",
        "overwriteprotocol": "https",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "dbtype": "mysql",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "version": "33.0.3.2",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "app_install_overwrite": {
            "0": "whiteboard",
            "2": "fulltextsearch",
            "3": "fulltextsearch_elasticsearch",
            "4": "files_fulltextsearch",
            "5": "dashboardcharts",
            "6": "ownpad",
            "7": "timetracker",
            "8": "keeweb",
            "9": "documents",
            "10": "ldap_write_support"
        },
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "theme": "",
        "loglevel": 1,
        "has_rebuilt_cache": true,
        "default_language": "de_DE",
        "htaccess.RewriteBase": "\/",
        "maintenance": false,
        "encryption.legacy_format_support": false,
        "encryption.key_storage_migrated": false,
        "maintenance_window_start": 1,
        "mysql.utf8mb4": true,
        "serverid": 1,
        "default_phone_region": "DE",
        "mail_smtpport": "25",
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": false,
                "verify_peer": true,
                "verify_peer_name": true
            }
        },
        "allow_local_remote_servers": true
    }
}

Server log (data/nextcloud.log)

There's nothing logged by Nextcloud. But there are logs of coturn.

Details

May 26 10:58:03 stunning turnserver[837807]: 6997: : session 000000000000000804: realm <headturning.wikimedia.de> user <>: incoming packet message processed, error 401: Unauthorized
May 26 10:58:03 stunning turnserver[837807]: 6997: : session 001000000000000747: realm <headturning.wikimedia.de> user <>: incoming packet message processed, error 401: Unauthorized
May 26 10:58:03 stunning turnserver[837807]: 6997: : session 000000000000000805: realm <headturning.wikimedia.de> user <>: incoming packet message processed, error 401: Unauthorized
May 26 10:58:03 stunning turnserver[837807]: 6997: : session 000000000000000806: realm <headturning.wikimedia.de> user <>: incoming packet message processed, error 401: Unauthorized
May 26 10:58:03 stunning turnserver[837807]: 6997: : session 000000000000000807: realm <headturning.wikimedia.de> user <>: incoming packet message processed, error 401: Unauthorized
May 26 10:58:03 stunning turnserver[837807]: 6997: : session 001000000000000748: realm <headturning.wikimedia.de> user <>: incoming packet message processed, error 401: Unauthorized
May 26 10:58:03 stunning turnserver[837807]: 6997: : session 001000000000000749: realm <headturning.wikimedia.de> user <>: incoming packet message processed, error 401: Unauthorized
May 26 10:58:03 stunning turnserver[837807]: 6997: : session 000000000000000808: realm <headturning.wikimedia.de> user <>: incoming packet message processed, error 401: Unauthorized
May 26 10:58:04 stunning turnserver[837807]: 6997: : ERROR: check_stun_auth: Cannot find credentials of user <1779793383:turn-test-user>
May 26 10:58:04 stunning turnserver[837807]: 6997: : session 001000000000000747: realm <headturning.wikimedia.de> user <1779793383:turn-test-user>: incoming packet message processed, error 401: Unauthorized
May 26 10:58:04 stunning turnserver[837807]: 6997: : ERROR: check_stun_auth: Cannot find credentials of user <1779793383:turn-test-user>
May 26 10:58:04 stunning turnserver[837807]: 6997: : session 000000000000000806: realm <headturning.wikimedia.de> user <1779793383:turn-test-user>: incoming packet message processed, error 401: Unauthorized
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 000000000000000776: peer usage: realm=<headturning.wikimedia.de>, username=<1779793319:turn-test-user>, rp=0, rb=0, sp=0, sb=0
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 000000000000000776: closed (2nd stage), user <1779793319:turn-test-user> realm <headturning.wikimedia.de> origin <>, local [2a01:4f8:c012:9c34::1]:443, remote [2003:a:6d:dd00:9a4b:b1a0:375e:f31d]:52071, reason: allocation watchdog determined stale session state
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000725: usage: realm=<headturning.wikimedia.de>, username=<1779793319:turn-test-user>, rp=3, rb=180, sp=3, sb=388
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000725: peer usage: realm=<headturning.wikimedia.de>, username=<1779793319:turn-test-user>, rp=0, rb=0, sp=0, sb=0
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000725: closed (2nd stage), user <1779793319:turn-test-user> realm <headturning.wikimedia.de> origin <>, local [2a01:4f8:c012:9c34::1]:443, remote [2003:a:6d:dd01:e8c5:de67:cd9b:43d4]:38802, reason: allocation watchdog determined stale session state
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000726: usage: realm=<headturning.wikimedia.de>, username=<1779793319:turn-test-user>, rp=3, rb=180, sp=3, sb=388
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000726: peer usage: realm=<headturning.wikimedia.de>, username=<1779793319:turn-test-user>, rp=0, rb=0, sp=0, sb=0
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000726: closed (2nd stage), user <1779793319:turn-test-user> realm <headturning.wikimedia.de> origin <>, local [2a01:4f8:c012:9c34::1]:443, remote [2003:a:6d:dd00:9a4b:b1a0:375e:f31d]:50342, reason: allocation watchdog determined stale session state
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000727: usage: realm=<headturning.wikimedia.de>, username=<1779793319:turn-test-user>, rp=3, rb=180, sp=3, sb=388
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000727: peer usage: realm=<headturning.wikimedia.de>, username=<1779793319:turn-test-user>, rp=0, rb=0, sp=0, sb=0
May 26 10:58:04 stunning turnserver[837807]: 6997: : IPv6. tcp or tls connected to: 2003:a:6d:dd00:9a4b:b1a0:375e:f31d:42998
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000727: closed (2nd stage), user <1779793319:turn-test-user> realm <headturning.wikimedia.de> origin <>, local [2a01:4f8:c012:9c34::1]:443, remote [2003:a:6d:dd01:e8c5:de67:cd9b:43d4]:57056, reason: allocation watchdog determined stale session state
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000728: usage: realm=<headturning.wikimedia.de>, username=<1779793319:turn-test-user>, rp=3, rb=180, sp=3, sb=340
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000728: peer usage: realm=<headturning.wikimedia.de>, username=<1779793319:turn-test-user>, rp=0, rb=0, sp=0, sb=0
May 26 10:58:04 stunning turnserver[837807]: 6993: : session 001000000000000728: closed (2nd stage), user <1779793319:turn-test-user> realm <headturning.wikimedia.de> origin <>, local 46.224.136.35:443, remote 104.151.103.93:19501, reason: allocation watchdog determined stale session state
[…]

I shortened it a bit. When I use `turnutils_uclient -p 443 -W shared-auth-secret -v -y headturning.wikimedia.de` it looks like this:

Details

May 26 10:59:58 stunning turnserver[837807]: 7112: : session 000000000000000836: realm <headturning.wikimedia.de> user <>: incoming packet message processed, error 401: Unauthorized
May 26 10:59:58 stunning turnserver[837807]: 7112: : IPv4. Local relay addr: 46.224.136.35:57440
May 26 10:59:58 stunning turnserver[837807]: 7112: : IPv4. Local reserved relay addr: 46.224.136.35:57441
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 000000000000000836: new, realm=<headturning.wikimedia.de>, username=<1779879598>, lifetime=777
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 000000000000000836: realm <headturning.wikimedia.de> user <1779879598>: incoming packet ALLOCATE processed, success
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 000000000000000836: refreshed, realm=<headturning.wikimedia.de>, username=<1779879598>, lifetime=777
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 000000000000000836: realm <headturning.wikimedia.de> user <1779879598>: incoming packet REFRESH processed, success
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 001000000000000773: realm <headturning.wikimedia.de> user <>: incoming packet message processed, error 401: Unauthorized
May 26 10:59:58 stunning turnserver[837807]: 7112: : IPv4. Local relay addr (RTCP): 46.224.136.35:57441
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 001000000000000773: new, realm=<headturning.wikimedia.de>, username=<1779879598>, lifetime=777
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 001000000000000773: realm <headturning.wikimedia.de> user <1779879598>: incoming packet ALLOCATE processed, success
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 001000000000000773: refreshed, realm=<headturning.wikimedia.de>, username=<1779879598>, lifetime=777
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 001000000000000773: realm <headturning.wikimedia.de> user <1779879598>: incoming packet REFRESH processed, success
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 000000000000000837: realm <headturning.wikimedia.de> user <>: incoming packet message processed, error 401: Unauthorized
May 26 10:59:58 stunning turnserver[837807]: 7112: : IPv4. Local relay addr: 46.224.136.35:55312
May 26 10:59:58 stunning turnserver[837807]: 7112: : IPv4. Local reserved relay addr: 46.224.136.35:55313
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 000000000000000837: new, realm=<headturning.wikimedia.de>, username=<1779879598>, lifetime=777
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 000000000000000837: realm <headturning.wikimedia.de> user <1779879598>: incoming packet ALLOCATE processed, success
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 000000000000000837: refreshed, realm=<headturning.wikimedia.de>, username=<1779879598>, lifetime=777
May 26 10:59:58 stunning turnserver[837807]: 7112: : session 000000000000000837: realm <headturning.wikimedia.de> user <1779879598>: incoming packet REFRESH processed, success
May 26 10:59:58 stunning turnserver[837807]: 7075: : session 000000000000000831: usage: realm=<headturning.wikimedia.de>, username=<>, rp=386, rb=7720, sp=386, sb=38600
May 26 10:59:58 stunning turnserver[837807]: 7075: : session 000000000000000831: peer usage: realm=<headturning.wikimedia.de>, username=<>, rp=0, rb=0, sp=0, sb=0
May 26 10:59:58 stunning turnserver[837807]: 7075: : session 000000000000000831: closed (2nd stage), user <> realm <headturning.wikimedia.de> origin <>, local 46.224.136.35:3478, remote 13.76.102.115:17500, reason: allocation watchdog determined stale session state
May 26 10:59:58 stunning turnserver[837807]: 7094: : session 000000000000000832: usage: realm=<headturning.wikimedia.de>, username=<>, rp=103, rb=2060, sp=103, sb=10300
May 26 10:59:58 stunning turnserver[837807]: 7094: : session 000000000000000832: peer usage: realm=<headturning.wikimedia.de>, username=<>, rp=0, rb=0, sp=0, sb=0
May 26 10:59:58 stunning turnserver[837807]: 7094: : session 000000000000000832: closed (2nd stage), user <> realm <headturning.wikimedia.de> origin <>, local 46.224.136.35:3478, remote 213.32.19.46:5060, reason: allocation watchdog determined stale session state
May 26 10:59:58 stunning turnserver[837807]: 7102: : session 000000000000000833: usage: realm=<headturning.wikimedia.de>, username=<>, rp=386, rb=7720, sp=386, sb=38600
May 26 10:59:58 stunning turnserver[837807]: 7102: : session 000000000000000833: peer usage: realm=<headturning.wikimedia.de>, username=<>, rp=0, rb=0, sp=0, sb=0
May 26 10:59:58 stunning turnserver[837807]: 7102: : session 000000000000000833: closed (2nd stage), user <> realm <headturning.wikimedia.de> origin <>, local 46.224.136.35:3478, remote 34.0.14.87:23957, reason: allocation watchdog determined stale session state
May 26 10:59:58 stunning turnserver[837807]: 7108: : session 000000000000000834: usage: realm=<headturning.wikimedia.de>, username=<>, rp=193, rb=3860, sp=193, sb=19300
May 26 10:59:58 stunning turnserver[837807]: 7108: : session 000000000000000834: peer usage: realm=<headturning.wikimedia.de>, username=<>, rp=0, rb=0, sp=0, sb=0
May 26 10:59:58 stunning turnserver[837807]: 7108: : session 000000000000000834: closed (2nd stage), user <> realm <headturning.wikimedia.de> origin <>, local 46.224.136.35:3478, remote 185.97.253.250:7707, reason: allocation watchdog determined stale session state

The most glaring difference is that Nextcloud Talk tests with username while `turnutils_uclient` only uses . And coturn complains about not finding any credentials for the user supplied by Nextcloud Talk. So I guess the cause lies there somewhere.

I tried to debug using https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ but this page fails with me not providing a username.

[Antreesy]

Is anything in your setup differs from documented configuration in these articles:

• https://nextcloud-talk.readthedocs.io/en/latest/coturn/
• https://nextcloud-talk.readthedocs.io/en/latest/TURN/#4-configure-nextcloud-talk-to-use-your-turn-server

Apart from that, I don't have clear idea what to check. Maybe @danxuliu would have some hints

[fluchtkapsel]

There's nothing special in there. AFAIU TURN and TURNS are available on both listening-port and tls-listening-port.

Details

root@stunning:~# grep -v -e "^#" -e "^$" /etc/turnserver.conf
listening-port=3478
tls-listening-port=443
min-port=32769
max-port=65535
verbose
fingerprint
lt-cred-mech
prometheus
use-auth-secret
static-auth-secret=IWontTellYouItsRedacted
realm=headturning.wikimedia.de
total-quota=100
stale-nonce=600
cert=/etc/coturn/stunning.wikimedia.de.crt
pkey=/etc/coturn/stunning.wikimedia.de.key
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
dh-file=/etc/coturn/ssl/dhp.pem
keep-address-family
no-sslv3
no-tlsv1
no-tlsv1_1
dh2066
syslog
no-loopback-peers
no-multicast-peers
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=::ffff:0:0-::ffff:ffff:ffff
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=64:ff9b:1::-64:ff9b:1:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2001:db8::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff

As the machine is dedicated for STUN and TURN, there's no need for any port forwarding or NAT. nftables is running, though, as there was supposed to be a Prosody IM running in an LXC.

Details

root@stunning:~# nft list ruleset
table ip6 lxc {
	set masq_addr {
		type ipv6_addr
		flags interval
		comment "IPv6 addresses to masquerade. Usually not necessary."
	}

	map map_port_ipport {
		type inet_proto . inet_service : ipv6_addr . inet_service
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip6 saddr fc42:5009:ba4b:5ab0::/64 ip6 daddr != fc42:5009:ba4b:5ab0::/64 counter packets 0 bytes 0 masquerade
	}

	chain prerouting {
		type nat hook prerouting priority dstnat + 1; policy accept;
		fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport
	}

	chain output {
		type nat hook output priority dstnat + 1; policy accept;
		ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport
	}
}
table inet lxc {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "lxcbr0" udp dport { 53, 67 } accept
		iifname "lxcbr0" tcp dport { 53, 67 } accept
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		iifname "lxcbr0" accept
		oifname "lxcbr0" accept
	}
}
table ip lxc {
	set masq_addr {
		type ipv4_addr
		flags interval
		comment "IPv4 addresses to masquerade. Only for manually added IPv4 addresses."
	}

	map map_port_ipport {
		type inet_proto . inet_service : ipv4_addr . inet_service
	}

	set tunnel_addr {
		type ipv4_addr
		flags interval
		comment "Tunnel these addresses through IPsec"
		elements = { 10.0.3.0/24, 10.0.6.0/24,
			     172.16.66.0/23 }
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip daddr @tunnel_addr accept comment "ipsec_tunnels"
		ip saddr 10.0.201.0/24 ip daddr != 10.0.201.0/24 counter packets 1 bytes 40 masquerade
	}

	chain prerouting {
		type nat hook prerouting priority dstnat + 1; policy accept;
		fib daddr type local dnat ip to meta l4proto . th dport map @map_port_ipport
	}

	chain output {
		type nat hook output priority dstnat + 1; policy accept;
		ip daddr != 127.0.0.0/8 oif "lo" dnat ip to meta l4proto . th dport map @map_port_ipport
	}
}
table ip generic {
}
root@stunning:~# lxc-ls
NAME                 STATE   AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED 
prosody.wikimedia.de STOPPED 0         -      -    -    false    

Stopping lxc.service and lxc-net.service thus flushing the nft ruleset doesn't change anything, though.