Containers not getting ipv4

Can you show the output of ps aux | grep dnsmasq and sudo ss -ulpn on the host please.

Ofcource:

ps aux | grep dnsmasq
libvirt+    5252  0.0  0.0   9476  1448 ?        S    10:24   0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
root        5254  0.0  0.0   9448   360 ?        S    10:24   0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
lxc-dns+    5444  0.0  0.0  17840   372 ?        S    10:24   0:00 dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsmasq.pid --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative
lxd        39491  0.1  0.0  50204  3852 ?        Ss   10:31   0:02 dnsmasq --keep-in-foreground --strict-order --bind-interfaces --except-interface=lo --pid-file= --no-ping --interface=lxdbr0 --quiet-dhcp --quiet-dhcp6 --quiet-ra --listen-address=10.113.169.1 --dhcp-no-override --dhcp-authoritative --dhcp-leasefile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.leases --dhcp-hostsfile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.hosts --dhcp-range 10.113.169.2,10.113.169.254,1h --listen-address=fd42:d18b:9a6b:f1a0::1 --enable-ra --dhcp-range ::,constructor:lxdbr0,ra-stateless,ra-names -s lxd -S /lxd/ --conf-file=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.raw -u lxd -g lxd
root       80580  0.0  0.0  11864   596 pts/1    S+   11:02   0:00 grep --color=auto dnsmasq
ss -ulpn
State   Recv-Q  Send-Q                        Local Address:Port      Peer Address:Port  Process                                                            
UNCONN  0       0                              10.113.169.1:53             0.0.0.0:*      users:(("dnsmasq",pid=39491,fd=8))                                
UNCONN  0       0                                  10.0.3.1:53             0.0.0.0:*      users:(("dnsmasq",pid=5444,fd=6))                                 
UNCONN  0       0                             192.168.122.1:53             0.0.0.0:*      users:(("dnsmasq",pid=5252,fd=5))                                 
UNCONN  0       0                                 127.0.0.1:53             0.0.0.0:*      users:(("tor",pid=4063,fd=7))                                     
UNCONN  0       0                             127.0.0.53%lo:53             0.0.0.0:*      users:(("systemd-resolve",pid=3114,fd=12))                        
UNCONN  0       0                            0.0.0.0%lxdbr0:67             0.0.0.0:*      users:(("dnsmasq",pid=39491,fd=4))                                
UNCONN  0       0                            0.0.0.0%lxcbr0:67             0.0.0.0:*      users:(("dnsmasq",pid=5444,fd=4))                                 
UNCONN  0       0                            0.0.0.0%virbr0:67             0.0.0.0:*      users:(("dnsmasq",pid=5252,fd=3))                                 
UNCONN  0       0                                   0.0.0.0:111            0.0.0.0:*      users:(("rpcbind",pid=3109,fd=5),("systemd",pid=1,fd=226))        
UNCONN  0       0                              10.113.169.1:123            0.0.0.0:*      users:(("ntpd",pid=3930,fd=25))                                   
UNCONN  0       0                               192.168.1.8:123            0.0.0.0:*      users:(("ntpd",pid=3930,fd=23))                                   
UNCONN  0       0                                 127.0.0.1:123            0.0.0.0:*      users:(("ntpd",pid=3930,fd=18))                                   
UNCONN  0       0                                   0.0.0.0:123            0.0.0.0:*      users:(("ntpd",pid=3930,fd=17))                                   
UNCONN  0       0                            10.113.169.255:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=30))                                   
UNCONN  0       0                              10.113.169.1:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=29))                                   
UNCONN  0       0                             192.168.1.255:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=26))                                   
UNCONN  0       0                               192.168.1.8:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=25))                                   
UNCONN  0       0                                10.0.3.255:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=21))                                   
UNCONN  0       0                                  10.0.3.1:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=20))                                   
UNCONN  0       0                           192.168.122.255:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=17))                                   
UNCONN  0       0                             192.168.122.1:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=16))                                   
UNCONN  0       0                                   0.0.0.0:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=14))                                   
UNCONN  0       0                            10.113.169.255:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=32))                                   
UNCONN  0       0                              10.113.169.1:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=31))                                   
UNCONN  0       0                             192.168.1.255:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=28))                                   
UNCONN  0       0                               192.168.1.8:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=27))                                   
UNCONN  0       0                                10.0.3.255:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=23))                                   
UNCONN  0       0                                  10.0.3.1:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=22))                                   
UNCONN  0       0                           192.168.122.255:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=19))                                   
UNCONN  0       0                             192.168.122.1:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=18))                                   
UNCONN  0       0                                   0.0.0.0:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=15))                                   
UNCONN  0       0                                   0.0.0.0:631            0.0.0.0:*      users:(("cups-browsed",pid=3473,fd=7))                            
UNCONN  0       0                                   0.0.0.0:5353           0.0.0.0:*      users:(("avahi-daemon",pid=3275,fd=12))                           
UNCONN  0       0                                   0.0.0.0:42420          0.0.0.0:*      users:(("fusermount",pid=12197,fd=87),("pcloud",pid=7934,fd=87))  
UNCONN  0       0                                   0.0.0.0:38487          0.0.0.0:*                                                                        
UNCONN  0       0                                   0.0.0.0:59085          0.0.0.0:*      users:(("rpc.mountd",pid=3986,fd=12))                             
UNCONN  0       0                                   0.0.0.0:2049           0.0.0.0:*                                                                        
UNCONN  0       0                                   0.0.0.0:43814          0.0.0.0:*      users:(("rpc.mountd",pid=3986,fd=16))                             
UNCONN  0       0                                   0.0.0.0:35746          0.0.0.0:*      users:(("avahi-daemon",pid=3275,fd=14))                           
UNCONN  0       0                                   0.0.0.0:36143          0.0.0.0:*      users:(("rpc.mountd",pid=3986,fd=8))                              
UNCONN  0       0                                   0.0.0.0:3892           0.0.0.0:*      users:(("PanasonicMFSlpd",pid=3460,fd=5))                         
UNCONN  0       0                                   0.0.0.0:28501          0.0.0.0:*      users:(("mvdsv",pid=32848,fd=4))                                  
UNCONN  0       0                                   0.0.0.0:28502          0.0.0.0:*      users:(("mvdsv",pid=32859,fd=4))                                  
UNCONN  0       0                                   0.0.0.0:28503          0.0.0.0:*      users:(("mvdsv",pid=32872,fd=4))                                  
UNCONN  0       0                                   0.0.0.0:28504          0.0.0.0:*      users:(("mvdsv",pid=32879,fd=4))                                  
UNCONN  0       0                  [fd42:d18b:9a6b:f1a0::1]:53                [::]:*      users:(("dnsmasq",pid=39491,fd=10))                               
UNCONN  0       0                                      [::]:111               [::]:*      users:(("rpcbind",pid=3109,fd=7),("systemd",pid=1,fd=228))        
UNCONN  0       0         [fe80::216:3eff:fe5f:2943]%lxdbr0:123               [::]:*      users:(("ntpd",pid=3930,fd=27))                                   
UNCONN  0       0                  [fd42:d18b:9a6b:f1a0::1]:123               [::]:*      users:(("ntpd",pid=3930,fd=26))                                   
UNCONN  0       0        [fe80::88d6:c0f4:40d5:473c]%wlp2s0:123               [::]:*      users:(("ntpd",pid=3930,fd=24))                                   
UNCONN  0       0                                     [::1]:123               [::]:*      users:(("ntpd",pid=3930,fd=19))                                   
UNCONN  0       0                                      [::]:123               [::]:*      users:(("ntpd",pid=3930,fd=16))                                   
UNCONN  0       0                               [::]%lxdbr0:547               [::]:*      users:(("dnsmasq",pid=39491,fd=6))                                
UNCONN  0       0                                      [::]:33955             [::]:*                                                                        
UNCONN  0       0                                      [::]:5353              [::]:*      users:(("avahi-daemon",pid=3275,fd=13))                           
UNCONN  0       0                                      [::]:2049              [::]:*                                                                        
UNCONN  0       0                                      [::]:51715             [::]:*      users:(("avahi-daemon",pid=3275,fd=15))                           
UNCONN  0       0                                      [::]:59918             [::]:*      users:(("rpc.mountd",pid=3986,fd=18))                             
UNCONN  0       0                                      [::]:55900             [::]:*      users:(("rpc.mountd",pid=3986,fd=14))                             
UNCONN  0       0                                      [::]:36430             [::]:*      users:(("rpc.mountd",pid=3986,fd=10))

Thanks. OK so looking at the output of ps we can see dnsmasq is running for lxdbr0, thats good.

And looking at the outpuf of your sudo ss -ulpn command and filtering it by the process ID of the lxdbr0 dnsmasq process we can see the following:

grep pid=39491 ~/dnsmasq.txt 
UNCONN  0       0                              10.113.169.1:53             0.0.0.0:*      users:(("dnsmasq",pid=39491,fd=8))                                
UNCONN  0       0                            0.0.0.0%lxdbr0:67             0.0.0.0:*      users:(("dnsmasq",pid=39491,fd=4))                                
UNCONN  0       0                  [fd42:d18b:9a6b:f1a0::1]:53                [::]:*      users:(("dnsmasq",pid=39491,fd=10))                               
UNCONN  0       0                               [::]%lxdbr0:547               [::]:*      users:(("dnsmasq",pid=39491,fd=6))  

This shows it listening on the wildcard addresses for lxdbr0 on ports 67 (DHCPv4) and 547 (DHCPv6), and listening on 10.113.169.1:53 and [fd42:d18b:9a6b:f1a0::1]:53 which are for DNS over v4 and v6 respectively.

However here we can see the issue. The IP 10.113.169.1 does not match the IP reported by lxc network ls for the lxdbr0 address, which you reported earlier as `10.46.233.1.

So I suspect the old dnsmasq instance is still running from before you reinitialised LXD.

If you kill the process 39491 and then reload LXD using sudo systemctl reload snap.lxd.daemon that should restart dnsmasq with the correct config.

Thank you.
I have rebooted laptop several times before and it didn’t help me. Nevertheless I’ve done what you have said, but nothing changed.

| test-20-10-002 | RUNNING |      | fd42:d18b:9a6b:f1a0:216:3eff:feb3:123b (eth0) | CONTAINER | 0         |

The new container, that I created after kill & systemctl reload is allso without IPv4.

Please show the output of the ss and ps commands as before.

ps aux | grep dnsmasq
libvirt+    5252  0.0  0.0   9476  1384 ?        S    10:24   0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
root        5254  0.0  0.0   9448   360 ?        S    10:24   0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
lxc-dns+    5444  0.0  0.0  17840   372 ?        S    10:24   0:00 dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsmasq.pid --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative
lxd       126515  0.5  0.0  50200  3736 ?        Ss   11:24   0:02 dnsmasq --keep-in-foreground --strict-order --bind-interfaces --except-interface=lo --pid-file= --no-ping --interface=lxdbr0 --quiet-dhcp --quiet-dhcp6 --quiet-ra --listen-address=10.113.169.1 --dhcp-no-override --dhcp-authoritative --dhcp-leasefile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.leases --dhcp-hostsfile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.hosts --dhcp-range 10.113.169.2,10.113.169.254,1h --listen-address=fd42:d18b:9a6b:f1a0::1 --enable-ra --dhcp-range ::,constructor:lxdbr0,ra-stateless,ra-names -s lxd -S /lxd/ --conf-file=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.raw -u lxd -g lxd
root      134889  0.0  0.0  11864  1836 pts/1    S+   11:31   0:00 grep --color=auto dnsmasq
ss -ulpn
State   Recv-Q  Send-Q                        Local Address:Port      Peer Address:Port  Process                                                            
UNCONN  0       0                              10.113.169.1:53             0.0.0.0:*      users:(("dnsmasq",pid=126515,fd=8))                               
UNCONN  0       0                                  10.0.3.1:53             0.0.0.0:*      users:(("dnsmasq",pid=5444,fd=6))                                 
UNCONN  0       0                             192.168.122.1:53             0.0.0.0:*      users:(("dnsmasq",pid=5252,fd=5))                                 
UNCONN  0       0                                 127.0.0.1:53             0.0.0.0:*      users:(("tor",pid=4063,fd=7))                                     
UNCONN  0       0                             127.0.0.53%lo:53             0.0.0.0:*      users:(("systemd-resolve",pid=3114,fd=12))                        
UNCONN  0       0                            0.0.0.0%lxdbr0:67             0.0.0.0:*      users:(("dnsmasq",pid=126515,fd=4))                               
UNCONN  0       0                            0.0.0.0%lxcbr0:67             0.0.0.0:*      users:(("dnsmasq",pid=5444,fd=4))                                 
UNCONN  0       0                            0.0.0.0%virbr0:67             0.0.0.0:*      users:(("dnsmasq",pid=5252,fd=3))                                 
UNCONN  0       0                                   0.0.0.0:111            0.0.0.0:*      users:(("rpcbind",pid=3109,fd=5),("systemd",pid=1,fd=250))        
UNCONN  0       0                               192.168.1.8:123            0.0.0.0:*      users:(("ntpd",pid=3930,fd=23))                                   
UNCONN  0       0                              10.113.169.1:123            0.0.0.0:*      users:(("ntpd",pid=3930,fd=25))                                   
UNCONN  0       0                                 127.0.0.1:123            0.0.0.0:*      users:(("ntpd",pid=3930,fd=18))                                   
UNCONN  0       0                                   0.0.0.0:123            0.0.0.0:*      users:(("ntpd",pid=3930,fd=17))                                   
UNCONN  0       0                            172.17.255.255:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=34))                                   
UNCONN  0       0                                172.17.0.1:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=33))                                   
UNCONN  0       0                            10.113.169.255:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=30))                                   
UNCONN  0       0                              10.113.169.1:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=29))                                   
UNCONN  0       0                             192.168.1.255:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=26))                                   
UNCONN  0       0                               192.168.1.8:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=25))                                   
UNCONN  0       0                                10.0.3.255:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=21))                                   
UNCONN  0       0                                  10.0.3.1:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=20))                                   
UNCONN  0       0                           192.168.122.255:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=17))                                   
UNCONN  0       0                             192.168.122.1:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=16))                                   
UNCONN  0       0                                   0.0.0.0:137            0.0.0.0:*      users:(("nmbd",pid=5258,fd=14))                                   
UNCONN  0       0                            172.17.255.255:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=36))                                   
UNCONN  0       0                                172.17.0.1:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=35))                                   
UNCONN  0       0                            10.113.169.255:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=32))                                   
UNCONN  0       0                              10.113.169.1:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=31))                                   
UNCONN  0       0                             192.168.1.255:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=28))                                   
UNCONN  0       0                               192.168.1.8:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=27))                                   
UNCONN  0       0                                10.0.3.255:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=23))                                   
UNCONN  0       0                                  10.0.3.1:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=22))                                   
UNCONN  0       0                           192.168.122.255:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=19))                                   
UNCONN  0       0                             192.168.122.1:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=18))                                   
UNCONN  0       0                                   0.0.0.0:138            0.0.0.0:*      users:(("nmbd",pid=5258,fd=15))                                   
UNCONN  0       0                                   0.0.0.0:631            0.0.0.0:*      users:(("cups-browsed",pid=3473,fd=7))                            
UNCONN  0       0                                   0.0.0.0:5353           0.0.0.0:*      users:(("avahi-daemon",pid=3275,fd=12))                           
UNCONN  0       0                                   0.0.0.0:42420          0.0.0.0:*      users:(("fusermount",pid=12197,fd=87),("pcloud",pid=7934,fd=87))  
UNCONN  0       0                                   0.0.0.0:38487          0.0.0.0:*                                                                        
UNCONN  0       0                                   0.0.0.0:59085          0.0.0.0:*      users:(("rpc.mountd",pid=3986,fd=12))                             
UNCONN  0       0                                   0.0.0.0:2049           0.0.0.0:*                                                                        
UNCONN  0       0                                   0.0.0.0:43814          0.0.0.0:*      users:(("rpc.mountd",pid=3986,fd=16))                             
UNCONN  0       0                                   0.0.0.0:35746          0.0.0.0:*      users:(("avahi-daemon",pid=3275,fd=14))                           
UNCONN  0       0                                   0.0.0.0:36143          0.0.0.0:*      users:(("rpc.mountd",pid=3986,fd=8))                              
UNCONN  0       0                                   0.0.0.0:3892           0.0.0.0:*      users:(("PanasonicMFSlpd",pid=3460,fd=5))                         
UNCONN  0       0                                   0.0.0.0:28501          0.0.0.0:*      users:(("mvdsv",pid=32848,fd=4))                                  
UNCONN  0       0                                   0.0.0.0:28502          0.0.0.0:*      users:(("mvdsv",pid=32859,fd=4))                                  
UNCONN  0       0                                   0.0.0.0:28503          0.0.0.0:*      users:(("mvdsv",pid=32872,fd=4))                                  
UNCONN  0       0                                   0.0.0.0:28504          0.0.0.0:*      users:(("mvdsv",pid=32879,fd=4))                                  
UNCONN  0       0                  [fd42:d18b:9a6b:f1a0::1]:53                [::]:*      users:(("dnsmasq",pid=126515,fd=12))                              
UNCONN  0       0         [fe80::216:3eff:fe5f:2943]%lxdbr0:53                [::]:*      users:(("dnsmasq",pid=126515,fd=10))                              
UNCONN  0       0                                      [::]:111               [::]:*      users:(("rpcbind",pid=3109,fd=7),("systemd",pid=1,fd=252))        
UNCONN  0       0        [fe80::88d6:c0f4:40d5:473c]%wlp2s0:123               [::]:*      users:(("ntpd",pid=3930,fd=24))                                   
UNCONN  0       0         [fe80::216:3eff:fe5f:2943]%lxdbr0:123               [::]:*      users:(("ntpd",pid=3930,fd=27))                                   
UNCONN  0       0                  [fd42:d18b:9a6b:f1a0::1]:123               [::]:*      users:(("ntpd",pid=3930,fd=26))                                   
UNCONN  0       0                                     [::1]:123               [::]:*      users:(("ntpd",pid=3930,fd=19))                                   
UNCONN  0       0                                      [::]:123               [::]:*      users:(("ntpd",pid=3930,fd=16))                                   
UNCONN  0       0                               [::]%lxdbr0:547               [::]:*      users:(("dnsmasq",pid=126515,fd=6))                               
UNCONN  0       0                                      [::]:33955             [::]:*                                                                        
UNCONN  0       0                                      [::]:5353              [::]:*      users:(("avahi-daemon",pid=3275,fd=13))                           
UNCONN  0       0                                      [::]:2049              [::]:*                                                                        
UNCONN  0       0                                      [::]:51715             [::]:*      users:(("avahi-daemon",pid=3275,fd=15))                           
UNCONN  0       0                                      [::]:59918             [::]:*      users:(("rpc.mountd",pid=3986,fd=18))                             
UNCONN  0       0                                      [::]:55900             [::]:*      users:(("rpc.mountd",pid=3986,fd=14))                             
UNCONN  0       0                                      [::]:36430             [::]:*      users:(("rpc.mountd",pid=3986,fd=10)) 

Yep still not right:

lxd       126515  0.5  0.0  50200  3736 ?        Ss   11:24   0:02 dnsmasq --keep-in-foreground --strict-order --bind-interfaces --except-interface=lo --pid-file= --no-ping --interface=lxdbr0 --quiet-dhcp --quiet-dhcp6 --quiet-ra --listen-address=10.113.169.1 --dhcp-no-override --dhcp-authoritative --dhcp-leasefile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.leases --dhcp-hostsfile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.hosts --dhcp-range 10.113.169.2,10.113.169.254,1h --listen-address=fd42:d18b:9a6b:f1a0::1 --enable-ra --dhcp-range ::,constructor:lxdbr0,ra-stateless,ra-names -s lxd -S /lxd/ --conf-file=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.raw -u lxd -g lxd
grep pid=126515 ~/dnsmasq.txt 
UNCONN  0       0                              10.113.169.1:53             0.0.0.0:*      users:(("dnsmasq",pid=126515,fd=8))                               
UNCONN  0       0                            0.0.0.0%lxdbr0:67             0.0.0.0:*      users:(("dnsmasq",pid=126515,fd=4))                               
UNCONN  0       0                  [fd42:d18b:9a6b:f1a0::1]:53                [::]:*      users:(("dnsmasq",pid=126515,fd=12))                              
UNCONN  0       0         [fe80::216:3eff:fe5f:2943]%lxdbr0:53                [::]:*      users:(("dnsmasq",pid=126515,fd=10))                              
UNCONN  0       0                               [::]%lxdbr0:547               [::]:*      users:(("dnsmasq",pid=126515,fd=6))      

Please show output of ip a on the host.

Also please output of sudo lxd sql global 'select * from networks' and sudo lxd sql global 'select * from networks_config'

Also what version of LXD are you running?

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether c4:54:44:cd:76:c4 brd ff:ff:ff:ff:ff:ff
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether bc:30:7d:65:0c:44 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.8/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp2s0
       valid_lft 85295sec preferred_lft 85295sec
    inet6 fe80::88d6:c0f4:40d5:473c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:8b:08:56 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:8b:08:56 brd ff:ff:ff:ff:ff:ff
6: lxcbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 10.0.3.1/24 scope global lxcbr0
       valid_lft forever preferred_lft forever
7: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:5f:29:43 brd ff:ff:ff:ff:ff:ff
    inet 10.113.169.1/24 scope global lxdbr0
       valid_lft forever preferred_lft forever
    inet6 fd42:d18b:9a6b:f1a0::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe5f:2943/64 scope link 
       valid_lft forever preferred_lft forever
9: veth8dcb163b@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether f6:cb:d9:12:13:e9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
10: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:3b:f5:cd:88 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:3bff:fef5:cd88/64 scope link 
       valid_lft forever preferred_lft forever
16: veth38cf9920@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether 6a:73:d0:d1:58:3d brd ff:ff:ff:ff:ff:ff link-netnsid 2

sudo lxd sql global 'select * from networks'
+----+------------+--------+-------------+-------+------+
| id | project_id |  name  | description | state | type |
+----+------------+--------+-------------+-------+------+
| 1  | 1          | lxdbr0 |             | 1     | 0    |
+----+------------+--------+-------------+-------+------+
sudo lxd sql global 'select * from networks_config'
+----+------------+---------+--------------+---------------------------+
| id | network_id | node_id |     key      |           value           |
+----+------------+---------+--------------+---------------------------+
| 1  | 1          | <nil>   | ipv6.address | fd42:d18b:9a6b:f1a0::1/64 |
| 2  | 1          | <nil>   | ipv4.nat     | true                      |
| 3  | 1          | <nil>   | ipv6.nat     | true                      |
| 4  | 1          | <nil>   | ipv4.address | 10.113.169.1/24           |
+----+------------+---------+--------------+---------------------------+
lxd version
4.11
1 Like

Oh right so your lxdbr0 network IP is 10.113.169.1/24 and not the 10.46.233.1/24 you originally posted above. That must have been the old config before you reinitialised LXD.

In that case everything lines up correctly.

If DHCP is still not working then its likely a firewall on your host.

Please show output of sudo iptables-save and sudo nft list ruleset.

sudo iptables-save
# Generated by iptables-save v1.8.4 on Thu Mar  4 12:04:33 2021
*nat
:PREROUTING ACCEPT [854:196103]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2336:160593]
:POSTROUTING ACCEPT [2327:159969]
:DOCKER - [0:0]
:LIBVIRT_PRT - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:POST_public_post - [0:0]
:POST_public_pre - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
:PRE_public_post - [0:0]
:PRE_public_pre - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j OUTPUT_direct
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING_ZONES -o wlp2s0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_pre
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A POST_public -j POST_public_post
-A PREROUTING_ZONES -i wlp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_pre
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public -j PRE_public_post
COMMIT
# Completed on Thu Mar  4 12:04:33 2021
# Generated by iptables-save v1.8.4 on Thu Mar  4 12:04:33 2021
*mangle
:PREROUTING ACCEPT [174140:222476178]
:INPUT ACCEPT [173545:222266121]
:FORWARD ACCEPT [274:103171]
:OUTPUT ACCEPT [99490:7854448]
:POSTROUTING ACCEPT [99798:7952199]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:LIBVIRT_PRT - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
:PRE_public_post - [0:0]
:PRE_public_pre - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A PREROUTING_ZONES -i wlp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_pre
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public -j PRE_public_post
COMMIT
# Completed on Thu Mar  4 12:04:33 2021
# Generated by iptables-save v1.8.4 on Thu Mar  4 12:04:33 2021
*raw
:PREROUTING ACCEPT [174140:222476178]
:OUTPUT ACCEPT [99490:7854448]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
:PRE_public_post - [0:0]
:PRE_public_pre - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i wlp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_pre
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public -j PRE_public_post
COMMIT
# Completed on Thu Mar  4 12:04:33 2021
# Generated by iptables-save v1.8.4 on Thu Mar  4 12:04:33 2021
*security
:INPUT ACCEPT [668962:931035088]
:FORWARD ACCEPT [196:77743]
:OUTPUT ACCEPT [345952:22086468]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Mar  4 12:04:33 2021
# Generated by iptables-save v1.8.4 on Thu Mar  4 12:04:33 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [96419:7573403]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDI_public_post - [0:0]
:FWDI_public_pre - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:FWDO_public_post - [0:0]
:FWDO_public_pre - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:IN_public_post - [0:0]
:IN_public_pre - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -j LIBVIRT_INP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j LIBVIRT_OUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A FORWARD_IN_ZONES -i wlp2s0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o wlp2s0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_pre
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -j FWDI_public_post
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_pre
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A FWDO_public -j FWDO_public_post
-A INPUT_ZONES -i wlp2s0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_pre
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -j IN_public_post
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Thu Mar  4 12:04:33 2021
sudo nft list ruleset
sudo: nft: command not found

OK so there is quite a lot going on there. The first thing I notice is that you have mentions of docker, which is known to add rules that can interfere with LXD’s networking (although I cannot specifically see the problem it normally causes in your ruleset).

However you are also missing the rules that LXD adds to allow inbound DHCP and DNS to lxdbr0 from the containers. So this suggests that another firewall in your system is wiping the rules added by LXD.

Can you reload LXD (without rebooting) and see if the lxdbr0 related rules are added. If they are and DHCP then works, then it will be an issue with the start order of LXD in relation to your other applications that are modifying the firewall rules.

Done. I’ve disabled ufw and restarted snap.lxd.daemon.service. But, seems there is nothing related to LXD in iptables:

# Generated by iptables-save v1.8.4 on Thu Mar  4 13:26:16 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1757:210562]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDI_public_post - [0:0]
:FWDI_public_pre - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:FWDO_public_post - [0:0]
:FWDO_public_pre - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:IN_public_post - [0:0]
:IN_public_pre - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -j LIBVIRT_INP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j LIBVIRT_OUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A FORWARD_IN_ZONES -i veth5a3aa82d -g FWDI_public
-A FORWARD_IN_ZONES -i vethc67af6b2 -g FWDI_public
-A FORWARD_IN_ZONES -i wlp2s0 -g FWDI_public
-A FORWARD_IN_ZONES -i veth1c04a137 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o veth5a3aa82d -g FWDO_public
-A FORWARD_OUT_ZONES -o vethc67af6b2 -g FWDO_public
-A FORWARD_OUT_ZONES -o wlp2s0 -g FWDO_public
-A FORWARD_OUT_ZONES -o veth1c04a137 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_pre
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -j FWDI_public_post
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_pre
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A FWDO_public -j FWDO_public_post
-A INPUT_ZONES -i veth5a3aa82d -g IN_public
-A INPUT_ZONES -i vethc67af6b2 -g IN_public
-A INPUT_ZONES -i wlp2s0 -g IN_public
-A INPUT_ZONES -i veth1c04a137 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_pre
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -j IN_public_post
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Thu Mar  4 13:26:16 2021

Before this issue happened I’ve installed cloud-init via apt. And it worked fine, before I’ve rebooted the laptop.

Please show output of lxc info | grep 'firewall:'

lxc info | grep 'firewall:'
  firewall: nftables

Ah so you’re using nftables, so sudo apt install nftables -y and then sudo nft list ruleset.

Is it working with ufw disabled btw?

1 Like

But this line is going to be causing problems, any ideas what’s adding that to your firewall (its not LXD).

Because although LXD is using nftables, its likely that iptables is actually using nftables too, and any reject or drop statements added in a netfilter chain that LXD doesn’t know about will still be evaluated even if LXD’s own rules say to accept the inbound DHCP/DNS packets. This is a rather unfortunate behaviour of nftables, compared to iptables, that any reject or drop in any other chain will cause the packet to be rejected/dropped even if its already been accepted by an earlier chain in a different netfilter hook.

See Upgraded to Ubuntu 20.10, now no ipv4 - #7 by tomp

So you need to ensure that no rules generated by your other firewalls would cause LXD’s traffic to be dropped.

See Lxd bridge doesn't work with IPv4 and UFW with nftables - #17 by tomp for a way to instruct ufw to allow lxdbr0 traffic.

2 Likes

Thank you!!!
I’ve removed this line from iptables, restarted snap.lxd.daemon.service and it works!
So I need to find what puts this line in iptables for ipv4 work cross reboots, or install iptables-persistent.

I had a similar problem: all my containers had lost network connectivity. After removing ufw package and rebooting, everything is working again.

1 Like

Thank you. I just solved the problem.

I am using VestaCP / CentOS 7.

I just realized that my containers’ ipv4 disappeared after changing firewall rules in VestaCP. Possibly VestaCP removed some iptables rules which generated by LXD.

The temporary solution is re-adding the rules by restarting the lxd daemon. And then, connect the network again.

service snap.lxd.daemon.service restart

lxc exec <container name> bash
ifup eth0
1 Like