Description:
I was playing around systemd-nspawn containers and new systemd-219 feature: default masquerading veth'ed (started with --network-veth) containers, and faced a weird systemd-networkd behaviour.
systemd-networkd could not enable or disable IP masquerading (and do any other firewall related things like forwarding, I suppose) if iptables haven't been touched anyhow since boot time.


How to reproduce:

The most important prerequisite here is that iptables haven't been touched since boot time. iptables shouldn't be touched either by iptables-load from iptables.service or manually from console.
Run
# iptables-save
and its output should be completely empty. Not tables with empty rules; just no output at all.

1. Then prepare some distro in some directory to use with nspawn.
2. Start systemd-networkd on host.
3. Boot container with -n (--network-veth) option:
# systemd-nspawn -n -b -D $path_to_container
4. Try to ping from container: ping won't be able to reach anything.
5. See systemd-networkd status on host:
# systemctl status systemd-networkd
It will report:
systemd-networkd: ve-%containername% : Could not enable IP masquerading: Protocol not avaliable
6. Turn off container.
7. Touch iptables, e. g.:
# iptables -t nat --list
After you have touched iptables in such way, iptables-save will output tables with empty set of rules.
8. Now boot container and try to ping: voilà, it pings!
9. Check systemd-networkd status: there is no any complains now.