OK good, so you have a ‘pure’ nftables setup.
One thing that I can see is likely to cause you problems is this:
table ip filter {
...
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
...
}
The policy drop bit is going to cause all routed traffic (i.e traffic to/from containers going to your external NIC) to be dropped. This is because nftables has a somewhat counter intuitive behaviour (compared to iptables) where when a rule in a chain (in this case fwd.lxdbr0) accepts traffic, this doesn’t necessarily mean it will actually get accepted, as nftables then considers all other chains and if one of them has a drop rule (or default policy) then the packet is dropped even though it was supposed to have been accepted earlier.
See Configuring chains - nftables wiki
NOTE : If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet will subsequently traverse this other chain. Hence, an accept verdict - be it by way of a rule or the default chain policy - isn’t necessarily final. However, the same is not true of packets that are subjected to a drop verdict. Instead, drops take immediate effect, with no further rules or chains being evaluated.
We have discussed this before, see Lxd bridge doesn't work with IPv4 and UFW with nftables - #13 by tomp
So you’re going to want to change that to an accept.
However before that I am not seeing any reason why your containers are not getting IPv4 addresses from dnsmasq listening on lxdbr0 via DHCP.
Can you show output of:
sudo ss -ulpn