Description: systemd 219 brings IP forwarding and masquerading support: see [1], [2].

For this to be supported, systemd (more precisely -- networkd) should be linked against libiptc.so. libiptc.so is part of core/iptables package.
In ArchLinux, systemd built without iptables dependence and hence forwarding and masquerading doesn't work.

[1] http://www.phoronix.com/scan.php?page=news_item&px=systemd-networkd-IP-Forward
[2] http://cgit.freedesktop.org/systemd/systemd/commit/?id=5a8bcb674f71a20e95df55319b34c556638378ce


Steps to reproduce:
Since networkd swithes on NAT (masquerading) for nspawn container virtual ethernet devices by default (see systemd/network/80-container-ve.network), one way to reproduce is using nspawn container with option -n (--network-veth).

1. Bootstrap some distro in some directory to use with nspawn.
2. Start systemd-networkd on host:
# systemctl start systemd-networkd
3. Boot container with -n option:
# systemd-nspawn -n -b -D $path_to_container
4. Try to ping from container: ping won't be able to reach anything.
5. See systemd-networkd status on host:
# systemctl status systemd-networkd
It will report:
systemd-networkd: ve-%containername% : Could not enable IP masquerading: Operation not supported


My solution: I've added iptables to systemd package dependencies.


P.S. Since I believe that forwarding and masquerading is not non-essential function but the key feature I report this as a bug.