Choosing the firewall driver in LXD

I have come across this post regarding the logic behind choosing the firewall driver when trying to debug why my firewall rules were being created in nftables instead of xtables.

I was wondering if there is a way to strictly choose a firewall driver to use even if say both nftables and xtables are empty and available to use xtables regardless.

Not currently, you can only influence the decision by the available tooling (although this is bundled with the snap so cant be controlled by the admin if using the snap package) and the rulesets that are active.

Right, the usual workaround there is to insert a pointless rule in xtables which will then have LXD use it rather than nftables.

Got it, the rule option would be a simple workaround.

Would this be a possible feature to be implemented in future LXD iterations?

We may be able to add an environment variable to force it one way or the other, but in general don’t like messing with that too much as we’d likely end up with a bunch of folks setting it to xtables, forgetting about it and a few years later being in a lot of pain when everything else uses nft and they’re getting a mixed set of rules (which is non-deterministic as far as enforcement behavior).

2 Likes