ACLs and Bridging

Incus
1

My network uses IPv6 but needs to handle prefix changes, so I need containers to receive router advertisements from the external router. I’m using a VLAN tag specifically for this purpose.

In IncusOS, I configured a vlan interface with the instances role.
In Incus itself I configured a macvlan interface with the vlan as a parent, which made this work.

However I also want to utilize ACLS, which are only available to Bridge and OVN interfaces.
But once I setup a Bridge with its parent as the macvlan, my instance doesn’t receive RAs.

(Continued from discussion in General)

Avoid advertising default route for Bridge network
2

Oh, hold on, you’re on IncusOS, that changes things :slight_smile:
Can you show your incus admin os system network show?

3

Here’s the output (replacing my GUA prefix with 2001:db8)

config:
  interfaces:
  - addresses:
    - dhcp4
    - slaac
    hwaddr: f8:e4:3b:b7:94:c3
    name: f8e43bb794c3
    required_for_online: ipv6
  time:
    timezone: America/Chicago
  vlans:
  - addresses:
    - slaac
    id: 8
    name: vlan08
    parent: f8e43bb794c3
    roles:
    - instances
state:
  interfaces:
    f8e43bb794c3:
      addresses:
      - 10.121.64.110
      - fd5b:7e71:a0dc:0:fae4:3bff:feb7:94c3
      - 2001:db8::fae4:3bff:feb7:94c3
      hwaddr: f8:e4:3b:b7:94:c3
      mtu: 1500
      roles:
      - management
      - cluster
      routes:
      - to: default
        via: 10.121.64.1
      speed: "0"
      state: routable
      stats:
        rx_bytes: 1.147467e+07
        rx_errors: 0
        tx_bytes: 6.641794e+06
        tx_errors: 0
      type: interface
    vlan08:
      addresses:
      - 2001:db8::fae4:3bff:feb7:94c3
      - fd10:707c:7c8:8:fae4:3bff:feb7:94c3
      hwaddr: f8:e4:3b:b7:94:c3
      mtu: 1500
      roles:
      - instances
      - management
      - cluster
      speed: "0"
      state: routable
      stats:
        rx_bytes: 2.13633e+06
        rx_errors: 0
        tx_bytes: 6.554036e+06
        tx_errors: 0
      type: vlan
4

Hmm, right, that’s going to be slightly annoying as your host itself needs that VLAN for connectivity… If it didn’t and it was just going to be the containers, it would have been pretty easy to unset addresses and then consume the vlan08 interface through bridge.external_interfaces but yeah, no such luck here.

5

I don’t need host connectivity with vlan08 – using the untagged interface for connectivity is fine. Would it work to remove addresses: ["slaac"] and use addresses: [] for vlan08?

Edit: works!