I’m looking for help in clarifying a few things related to LXD networking. I tried to get more insight (also about “bridges”) from web articles, but with limited success.
I noticed that LXD enables
net.ipv4.ip_forwardand adds the related iptables rules:
-A FORWARD -o lxcbr0 -j ACCEPT -A FORWARD -i lxcbr0 -j ACCEPT
Could you explain why this is needed? It it because the host serves as a sort of router/middleman for the containers and forwards packets to them?
ipv4.dhcpoption in LXD seems to cause the following iptables rules to be added:
-A INPUT -i lxcbr0 -p udp --dport 67 -j ACCEPT -A INPUT -i lxcbr0 -p udp --dport 53 -j ACCEPT -A INPUT -i lxcbr0 -p tcp --dport 53 -j ACCEPT -A OUTPUT -o lxcbr0 -p udp --sport 67 -j ACCEPT -A OUTPUT -o lxcbr0 -p udp --sport 53 -j ACCEPT -A OUTPUT -o lxcbr0 -p tcp --sport 53 -j ACCEPT
These are just to allow incoming/outgoing DHCP and DNS negotiation, in case the firewall drops by default, correct?
From what I understand, the following rule:
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
…is required for older buggy DHCP clients, presumably in containers. Can I assume that this rule would not be needed at all for modern containers (like recent Ubuntu, Alpine)?
ipv4.firewalloption serves as a master toggle for all of the above, correct?