Can you show the output of ps aux | grep dnsmasq and sudo ss -ulpn on the host please.
Ofcource:
ps aux | grep dnsmasq
libvirt+ 5252 0.0 0.0 9476 1448 ? S 10:24 0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
root 5254 0.0 0.0 9448 360 ? S 10:24 0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
lxc-dns+ 5444 0.0 0.0 17840 372 ? S 10:24 0:00 dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsmasq.pid --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative
lxd 39491 0.1 0.0 50204 3852 ? Ss 10:31 0:02 dnsmasq --keep-in-foreground --strict-order --bind-interfaces --except-interface=lo --pid-file= --no-ping --interface=lxdbr0 --quiet-dhcp --quiet-dhcp6 --quiet-ra --listen-address=10.113.169.1 --dhcp-no-override --dhcp-authoritative --dhcp-leasefile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.leases --dhcp-hostsfile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.hosts --dhcp-range 10.113.169.2,10.113.169.254,1h --listen-address=fd42:d18b:9a6b:f1a0::1 --enable-ra --dhcp-range ::,constructor:lxdbr0,ra-stateless,ra-names -s lxd -S /lxd/ --conf-file=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.raw -u lxd -g lxd
root 80580 0.0 0.0 11864 596 pts/1 S+ 11:02 0:00 grep --color=auto dnsmasq
ss -ulpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 10.113.169.1:53 0.0.0.0:* users:(("dnsmasq",pid=39491,fd=8))
UNCONN 0 0 10.0.3.1:53 0.0.0.0:* users:(("dnsmasq",pid=5444,fd=6))
UNCONN 0 0 192.168.122.1:53 0.0.0.0:* users:(("dnsmasq",pid=5252,fd=5))
UNCONN 0 0 127.0.0.1:53 0.0.0.0:* users:(("tor",pid=4063,fd=7))
UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=3114,fd=12))
UNCONN 0 0 0.0.0.0%lxdbr0:67 0.0.0.0:* users:(("dnsmasq",pid=39491,fd=4))
UNCONN 0 0 0.0.0.0%lxcbr0:67 0.0.0.0:* users:(("dnsmasq",pid=5444,fd=4))
UNCONN 0 0 0.0.0.0%virbr0:67 0.0.0.0:* users:(("dnsmasq",pid=5252,fd=3))
UNCONN 0 0 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=3109,fd=5),("systemd",pid=1,fd=226))
UNCONN 0 0 10.113.169.1:123 0.0.0.0:* users:(("ntpd",pid=3930,fd=25))
UNCONN 0 0 192.168.1.8:123 0.0.0.0:* users:(("ntpd",pid=3930,fd=23))
UNCONN 0 0 127.0.0.1:123 0.0.0.0:* users:(("ntpd",pid=3930,fd=18))
UNCONN 0 0 0.0.0.0:123 0.0.0.0:* users:(("ntpd",pid=3930,fd=17))
UNCONN 0 0 10.113.169.255:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=30))
UNCONN 0 0 10.113.169.1:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=29))
UNCONN 0 0 192.168.1.255:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=26))
UNCONN 0 0 192.168.1.8:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=25))
UNCONN 0 0 10.0.3.255:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=21))
UNCONN 0 0 10.0.3.1:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=20))
UNCONN 0 0 192.168.122.255:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=17))
UNCONN 0 0 192.168.122.1:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=16))
UNCONN 0 0 0.0.0.0:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=14))
UNCONN 0 0 10.113.169.255:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=32))
UNCONN 0 0 10.113.169.1:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=31))
UNCONN 0 0 192.168.1.255:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=28))
UNCONN 0 0 192.168.1.8:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=27))
UNCONN 0 0 10.0.3.255:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=23))
UNCONN 0 0 10.0.3.1:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=22))
UNCONN 0 0 192.168.122.255:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=19))
UNCONN 0 0 192.168.122.1:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=18))
UNCONN 0 0 0.0.0.0:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=15))
UNCONN 0 0 0.0.0.0:631 0.0.0.0:* users:(("cups-browsed",pid=3473,fd=7))
UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* users:(("avahi-daemon",pid=3275,fd=12))
UNCONN 0 0 0.0.0.0:42420 0.0.0.0:* users:(("fusermount",pid=12197,fd=87),("pcloud",pid=7934,fd=87))
UNCONN 0 0 0.0.0.0:38487 0.0.0.0:*
UNCONN 0 0 0.0.0.0:59085 0.0.0.0:* users:(("rpc.mountd",pid=3986,fd=12))
UNCONN 0 0 0.0.0.0:2049 0.0.0.0:*
UNCONN 0 0 0.0.0.0:43814 0.0.0.0:* users:(("rpc.mountd",pid=3986,fd=16))
UNCONN 0 0 0.0.0.0:35746 0.0.0.0:* users:(("avahi-daemon",pid=3275,fd=14))
UNCONN 0 0 0.0.0.0:36143 0.0.0.0:* users:(("rpc.mountd",pid=3986,fd=8))
UNCONN 0 0 0.0.0.0:3892 0.0.0.0:* users:(("PanasonicMFSlpd",pid=3460,fd=5))
UNCONN 0 0 0.0.0.0:28501 0.0.0.0:* users:(("mvdsv",pid=32848,fd=4))
UNCONN 0 0 0.0.0.0:28502 0.0.0.0:* users:(("mvdsv",pid=32859,fd=4))
UNCONN 0 0 0.0.0.0:28503 0.0.0.0:* users:(("mvdsv",pid=32872,fd=4))
UNCONN 0 0 0.0.0.0:28504 0.0.0.0:* users:(("mvdsv",pid=32879,fd=4))
UNCONN 0 0 [fd42:d18b:9a6b:f1a0::1]:53 [::]:* users:(("dnsmasq",pid=39491,fd=10))
UNCONN 0 0 [::]:111 [::]:* users:(("rpcbind",pid=3109,fd=7),("systemd",pid=1,fd=228))
UNCONN 0 0 [fe80::216:3eff:fe5f:2943]%lxdbr0:123 [::]:* users:(("ntpd",pid=3930,fd=27))
UNCONN 0 0 [fd42:d18b:9a6b:f1a0::1]:123 [::]:* users:(("ntpd",pid=3930,fd=26))
UNCONN 0 0 [fe80::88d6:c0f4:40d5:473c]%wlp2s0:123 [::]:* users:(("ntpd",pid=3930,fd=24))
UNCONN 0 0 [::1]:123 [::]:* users:(("ntpd",pid=3930,fd=19))
UNCONN 0 0 [::]:123 [::]:* users:(("ntpd",pid=3930,fd=16))
UNCONN 0 0 [::]%lxdbr0:547 [::]:* users:(("dnsmasq",pid=39491,fd=6))
UNCONN 0 0 [::]:33955 [::]:*
UNCONN 0 0 [::]:5353 [::]:* users:(("avahi-daemon",pid=3275,fd=13))
UNCONN 0 0 [::]:2049 [::]:*
UNCONN 0 0 [::]:51715 [::]:* users:(("avahi-daemon",pid=3275,fd=15))
UNCONN 0 0 [::]:59918 [::]:* users:(("rpc.mountd",pid=3986,fd=18))
UNCONN 0 0 [::]:55900 [::]:* users:(("rpc.mountd",pid=3986,fd=14))
UNCONN 0 0 [::]:36430 [::]:* users:(("rpc.mountd",pid=3986,fd=10))
Thanks. OK so looking at the output of ps we can see dnsmasq is running for lxdbr0, thats good.
And looking at the outpuf of your sudo ss -ulpn command and filtering it by the process ID of the lxdbr0 dnsmasq process we can see the following:
grep pid=39491 ~/dnsmasq.txt
UNCONN 0 0 10.113.169.1:53 0.0.0.0:* users:(("dnsmasq",pid=39491,fd=8))
UNCONN 0 0 0.0.0.0%lxdbr0:67 0.0.0.0:* users:(("dnsmasq",pid=39491,fd=4))
UNCONN 0 0 [fd42:d18b:9a6b:f1a0::1]:53 [::]:* users:(("dnsmasq",pid=39491,fd=10))
UNCONN 0 0 [::]%lxdbr0:547 [::]:* users:(("dnsmasq",pid=39491,fd=6))
This shows it listening on the wildcard addresses for lxdbr0 on ports 67 (DHCPv4) and 547 (DHCPv6), and listening on 10.113.169.1:53 and [fd42:d18b:9a6b:f1a0::1]:53 which are for DNS over v4 and v6 respectively.
However here we can see the issue. The IP 10.113.169.1 does not match the IP reported by lxc network ls for the lxdbr0 address, which you reported earlier as `10.46.233.1.
So I suspect the old dnsmasq instance is still running from before you reinitialised LXD.
If you kill the process 39491 and then reload LXD using sudo systemctl reload snap.lxd.daemon that should restart dnsmasq with the correct config.
Thank you.
I have rebooted laptop several times before and it didnāt help me. Nevertheless Iāve done what you have said, but nothing changed.
| test-20-10-002 | RUNNING | | fd42:d18b:9a6b:f1a0:216:3eff:feb3:123b (eth0) | CONTAINER | 0 |
The new container, that I created after kill & systemctl reload is allso without IPv4.
Please show the output of the ss and ps commands as before.
ps aux | grep dnsmasq
libvirt+ 5252 0.0 0.0 9476 1384 ? S 10:24 0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
root 5254 0.0 0.0 9448 360 ? S 10:24 0:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
lxc-dns+ 5444 0.0 0.0 17840 372 ? S 10:24 0:00 dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsmasq.pid --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative
lxd 126515 0.5 0.0 50200 3736 ? Ss 11:24 0:02 dnsmasq --keep-in-foreground --strict-order --bind-interfaces --except-interface=lo --pid-file= --no-ping --interface=lxdbr0 --quiet-dhcp --quiet-dhcp6 --quiet-ra --listen-address=10.113.169.1 --dhcp-no-override --dhcp-authoritative --dhcp-leasefile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.leases --dhcp-hostsfile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.hosts --dhcp-range 10.113.169.2,10.113.169.254,1h --listen-address=fd42:d18b:9a6b:f1a0::1 --enable-ra --dhcp-range ::,constructor:lxdbr0,ra-stateless,ra-names -s lxd -S /lxd/ --conf-file=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.raw -u lxd -g lxd
root 134889 0.0 0.0 11864 1836 pts/1 S+ 11:31 0:00 grep --color=auto dnsmasq
ss -ulpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 10.113.169.1:53 0.0.0.0:* users:(("dnsmasq",pid=126515,fd=8))
UNCONN 0 0 10.0.3.1:53 0.0.0.0:* users:(("dnsmasq",pid=5444,fd=6))
UNCONN 0 0 192.168.122.1:53 0.0.0.0:* users:(("dnsmasq",pid=5252,fd=5))
UNCONN 0 0 127.0.0.1:53 0.0.0.0:* users:(("tor",pid=4063,fd=7))
UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=3114,fd=12))
UNCONN 0 0 0.0.0.0%lxdbr0:67 0.0.0.0:* users:(("dnsmasq",pid=126515,fd=4))
UNCONN 0 0 0.0.0.0%lxcbr0:67 0.0.0.0:* users:(("dnsmasq",pid=5444,fd=4))
UNCONN 0 0 0.0.0.0%virbr0:67 0.0.0.0:* users:(("dnsmasq",pid=5252,fd=3))
UNCONN 0 0 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=3109,fd=5),("systemd",pid=1,fd=250))
UNCONN 0 0 192.168.1.8:123 0.0.0.0:* users:(("ntpd",pid=3930,fd=23))
UNCONN 0 0 10.113.169.1:123 0.0.0.0:* users:(("ntpd",pid=3930,fd=25))
UNCONN 0 0 127.0.0.1:123 0.0.0.0:* users:(("ntpd",pid=3930,fd=18))
UNCONN 0 0 0.0.0.0:123 0.0.0.0:* users:(("ntpd",pid=3930,fd=17))
UNCONN 0 0 172.17.255.255:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=34))
UNCONN 0 0 172.17.0.1:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=33))
UNCONN 0 0 10.113.169.255:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=30))
UNCONN 0 0 10.113.169.1:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=29))
UNCONN 0 0 192.168.1.255:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=26))
UNCONN 0 0 192.168.1.8:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=25))
UNCONN 0 0 10.0.3.255:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=21))
UNCONN 0 0 10.0.3.1:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=20))
UNCONN 0 0 192.168.122.255:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=17))
UNCONN 0 0 192.168.122.1:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=16))
UNCONN 0 0 0.0.0.0:137 0.0.0.0:* users:(("nmbd",pid=5258,fd=14))
UNCONN 0 0 172.17.255.255:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=36))
UNCONN 0 0 172.17.0.1:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=35))
UNCONN 0 0 10.113.169.255:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=32))
UNCONN 0 0 10.113.169.1:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=31))
UNCONN 0 0 192.168.1.255:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=28))
UNCONN 0 0 192.168.1.8:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=27))
UNCONN 0 0 10.0.3.255:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=23))
UNCONN 0 0 10.0.3.1:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=22))
UNCONN 0 0 192.168.122.255:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=19))
UNCONN 0 0 192.168.122.1:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=18))
UNCONN 0 0 0.0.0.0:138 0.0.0.0:* users:(("nmbd",pid=5258,fd=15))
UNCONN 0 0 0.0.0.0:631 0.0.0.0:* users:(("cups-browsed",pid=3473,fd=7))
UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* users:(("avahi-daemon",pid=3275,fd=12))
UNCONN 0 0 0.0.0.0:42420 0.0.0.0:* users:(("fusermount",pid=12197,fd=87),("pcloud",pid=7934,fd=87))
UNCONN 0 0 0.0.0.0:38487 0.0.0.0:*
UNCONN 0 0 0.0.0.0:59085 0.0.0.0:* users:(("rpc.mountd",pid=3986,fd=12))
UNCONN 0 0 0.0.0.0:2049 0.0.0.0:*
UNCONN 0 0 0.0.0.0:43814 0.0.0.0:* users:(("rpc.mountd",pid=3986,fd=16))
UNCONN 0 0 0.0.0.0:35746 0.0.0.0:* users:(("avahi-daemon",pid=3275,fd=14))
UNCONN 0 0 0.0.0.0:36143 0.0.0.0:* users:(("rpc.mountd",pid=3986,fd=8))
UNCONN 0 0 0.0.0.0:3892 0.0.0.0:* users:(("PanasonicMFSlpd",pid=3460,fd=5))
UNCONN 0 0 0.0.0.0:28501 0.0.0.0:* users:(("mvdsv",pid=32848,fd=4))
UNCONN 0 0 0.0.0.0:28502 0.0.0.0:* users:(("mvdsv",pid=32859,fd=4))
UNCONN 0 0 0.0.0.0:28503 0.0.0.0:* users:(("mvdsv",pid=32872,fd=4))
UNCONN 0 0 0.0.0.0:28504 0.0.0.0:* users:(("mvdsv",pid=32879,fd=4))
UNCONN 0 0 [fd42:d18b:9a6b:f1a0::1]:53 [::]:* users:(("dnsmasq",pid=126515,fd=12))
UNCONN 0 0 [fe80::216:3eff:fe5f:2943]%lxdbr0:53 [::]:* users:(("dnsmasq",pid=126515,fd=10))
UNCONN 0 0 [::]:111 [::]:* users:(("rpcbind",pid=3109,fd=7),("systemd",pid=1,fd=252))
UNCONN 0 0 [fe80::88d6:c0f4:40d5:473c]%wlp2s0:123 [::]:* users:(("ntpd",pid=3930,fd=24))
UNCONN 0 0 [fe80::216:3eff:fe5f:2943]%lxdbr0:123 [::]:* users:(("ntpd",pid=3930,fd=27))
UNCONN 0 0 [fd42:d18b:9a6b:f1a0::1]:123 [::]:* users:(("ntpd",pid=3930,fd=26))
UNCONN 0 0 [::1]:123 [::]:* users:(("ntpd",pid=3930,fd=19))
UNCONN 0 0 [::]:123 [::]:* users:(("ntpd",pid=3930,fd=16))
UNCONN 0 0 [::]%lxdbr0:547 [::]:* users:(("dnsmasq",pid=126515,fd=6))
UNCONN 0 0 [::]:33955 [::]:*
UNCONN 0 0 [::]:5353 [::]:* users:(("avahi-daemon",pid=3275,fd=13))
UNCONN 0 0 [::]:2049 [::]:*
UNCONN 0 0 [::]:51715 [::]:* users:(("avahi-daemon",pid=3275,fd=15))
UNCONN 0 0 [::]:59918 [::]:* users:(("rpc.mountd",pid=3986,fd=18))
UNCONN 0 0 [::]:55900 [::]:* users:(("rpc.mountd",pid=3986,fd=14))
UNCONN 0 0 [::]:36430 [::]:* users:(("rpc.mountd",pid=3986,fd=10))
Yep still not right:
lxd 126515 0.5 0.0 50200 3736 ? Ss 11:24 0:02 dnsmasq --keep-in-foreground --strict-order --bind-interfaces --except-interface=lo --pid-file= --no-ping --interface=lxdbr0 --quiet-dhcp --quiet-dhcp6 --quiet-ra --listen-address=10.113.169.1 --dhcp-no-override --dhcp-authoritative --dhcp-leasefile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.leases --dhcp-hostsfile=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.hosts --dhcp-range 10.113.169.2,10.113.169.254,1h --listen-address=fd42:d18b:9a6b:f1a0::1 --enable-ra --dhcp-range ::,constructor:lxdbr0,ra-stateless,ra-names -s lxd -S /lxd/ --conf-file=/var/snap/lxd/common/lxd/networks/lxdbr0/dnsmasq.raw -u lxd -g lxd
grep pid=126515 ~/dnsmasq.txt
UNCONN 0 0 10.113.169.1:53 0.0.0.0:* users:(("dnsmasq",pid=126515,fd=8))
UNCONN 0 0 0.0.0.0%lxdbr0:67 0.0.0.0:* users:(("dnsmasq",pid=126515,fd=4))
UNCONN 0 0 [fd42:d18b:9a6b:f1a0::1]:53 [::]:* users:(("dnsmasq",pid=126515,fd=12))
UNCONN 0 0 [fe80::216:3eff:fe5f:2943]%lxdbr0:53 [::]:* users:(("dnsmasq",pid=126515,fd=10))
UNCONN 0 0 [::]%lxdbr0:547 [::]:* users:(("dnsmasq",pid=126515,fd=6))
Please show output of ip a on the host.
Also please output of sudo lxd sql global 'select * from networks' and sudo lxd sql global 'select * from networks_config'
Also what version of LXD are you running?
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether c4:54:44:cd:76:c4 brd ff:ff:ff:ff:ff:ff
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bc:30:7d:65:0c:44 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.8/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp2s0
valid_lft 85295sec preferred_lft 85295sec
inet6 fe80::88d6:c0f4:40d5:473c/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:8b:08:56 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:8b:08:56 brd ff:ff:ff:ff:ff:ff
6: lxcbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 10.0.3.1/24 scope global lxcbr0
valid_lft forever preferred_lft forever
7: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:16:3e:5f:29:43 brd ff:ff:ff:ff:ff:ff
inet 10.113.169.1/24 scope global lxdbr0
valid_lft forever preferred_lft forever
inet6 fd42:d18b:9a6b:f1a0::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe5f:2943/64 scope link
valid_lft forever preferred_lft forever
9: veth8dcb163b@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
link/ether f6:cb:d9:12:13:e9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
10: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:3b:f5:cd:88 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:3bff:fef5:cd88/64 scope link
valid_lft forever preferred_lft forever
16: veth38cf9920@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
link/ether 6a:73:d0:d1:58:3d brd ff:ff:ff:ff:ff:ff link-netnsid 2
sudo lxd sql global 'select * from networks'
+----+------------+--------+-------------+-------+------+
| id | project_id | name | description | state | type |
+----+------------+--------+-------------+-------+------+
| 1 | 1 | lxdbr0 | | 1 | 0 |
+----+------------+--------+-------------+-------+------+
sudo lxd sql global 'select * from networks_config'
+----+------------+---------+--------------+---------------------------+
| id | network_id | node_id | key | value |
+----+------------+---------+--------------+---------------------------+
| 1 | 1 | <nil> | ipv6.address | fd42:d18b:9a6b:f1a0::1/64 |
| 2 | 1 | <nil> | ipv4.nat | true |
| 3 | 1 | <nil> | ipv6.nat | true |
| 4 | 1 | <nil> | ipv4.address | 10.113.169.1/24 |
+----+------------+---------+--------------+---------------------------+
lxd version
4.11
1 Like
Oh right so your lxdbr0 network IP is 10.113.169.1/24 and not the 10.46.233.1/24 you originally posted above. That must have been the old config before you reinitialised LXD.
In that case everything lines up correctly.
If DHCP is still not working then its likely a firewall on your host.
Please show output of sudo iptables-save and sudo nft list ruleset.
sudo iptables-save
# Generated by iptables-save v1.8.4 on Thu Mar 4 12:04:33 2021
*nat
:PREROUTING ACCEPT [854:196103]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2336:160593]
:POSTROUTING ACCEPT [2327:159969]
:DOCKER - [0:0]
:LIBVIRT_PRT - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:POST_public_post - [0:0]
:POST_public_pre - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
:PRE_public_post - [0:0]
:PRE_public_pre - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j OUTPUT_direct
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING_ZONES -o wlp2s0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_pre
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A POST_public -j POST_public_post
-A PREROUTING_ZONES -i wlp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_pre
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public -j PRE_public_post
COMMIT
# Completed on Thu Mar 4 12:04:33 2021
# Generated by iptables-save v1.8.4 on Thu Mar 4 12:04:33 2021
*mangle
:PREROUTING ACCEPT [174140:222476178]
:INPUT ACCEPT [173545:222266121]
:FORWARD ACCEPT [274:103171]
:OUTPUT ACCEPT [99490:7854448]
:POSTROUTING ACCEPT [99798:7952199]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:LIBVIRT_PRT - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
:PRE_public_post - [0:0]
:PRE_public_pre - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A PREROUTING_ZONES -i wlp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_pre
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public -j PRE_public_post
COMMIT
# Completed on Thu Mar 4 12:04:33 2021
# Generated by iptables-save v1.8.4 on Thu Mar 4 12:04:33 2021
*raw
:PREROUTING ACCEPT [174140:222476178]
:OUTPUT ACCEPT [99490:7854448]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
:PRE_public_post - [0:0]
:PRE_public_pre - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i wlp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_pre
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public -j PRE_public_post
COMMIT
# Completed on Thu Mar 4 12:04:33 2021
# Generated by iptables-save v1.8.4 on Thu Mar 4 12:04:33 2021
*security
:INPUT ACCEPT [668962:931035088]
:FORWARD ACCEPT [196:77743]
:OUTPUT ACCEPT [345952:22086468]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Mar 4 12:04:33 2021
# Generated by iptables-save v1.8.4 on Thu Mar 4 12:04:33 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [96419:7573403]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDI_public_post - [0:0]
:FWDI_public_pre - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:FWDO_public_post - [0:0]
:FWDO_public_pre - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:IN_public_post - [0:0]
:IN_public_pre - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -j LIBVIRT_INP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j LIBVIRT_OUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A FORWARD_IN_ZONES -i wlp2s0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o wlp2s0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_pre
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -j FWDI_public_post
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_pre
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A FWDO_public -j FWDO_public_post
-A INPUT_ZONES -i wlp2s0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_pre
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -j IN_public_post
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Thu Mar 4 12:04:33 2021
sudo nft list ruleset
sudo: nft: command not found
OK so there is quite a lot going on there. The first thing I notice is that you have mentions of docker, which is known to add rules that can interfere with LXDās networking (although I cannot specifically see the problem it normally causes in your ruleset).
However you are also missing the rules that LXD adds to allow inbound DHCP and DNS to lxdbr0 from the containers. So this suggests that another firewall in your system is wiping the rules added by LXD.
Can you reload LXD (without rebooting) and see if the lxdbr0 related rules are added. If they are and DHCP then works, then it will be an issue with the start order of LXD in relation to your other applications that are modifying the firewall rules.
Done. Iāve disabled ufw and restarted snap.lxd.daemon.service. But, seems there is nothing related to LXD in iptables:
# Generated by iptables-save v1.8.4 on Thu Mar 4 13:26:16 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1757:210562]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDI_public_post - [0:0]
:FWDI_public_pre - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:FWDO_public_post - [0:0]
:FWDO_public_pre - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:IN_public_post - [0:0]
:IN_public_pre - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -j LIBVIRT_INP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j LIBVIRT_OUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A FORWARD_IN_ZONES -i veth5a3aa82d -g FWDI_public
-A FORWARD_IN_ZONES -i vethc67af6b2 -g FWDI_public
-A FORWARD_IN_ZONES -i wlp2s0 -g FWDI_public
-A FORWARD_IN_ZONES -i veth1c04a137 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o veth5a3aa82d -g FWDO_public
-A FORWARD_OUT_ZONES -o vethc67af6b2 -g FWDO_public
-A FORWARD_OUT_ZONES -o wlp2s0 -g FWDO_public
-A FORWARD_OUT_ZONES -o veth1c04a137 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_pre
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -j FWDI_public_post
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_pre
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A FWDO_public -j FWDO_public_post
-A INPUT_ZONES -i veth5a3aa82d -g IN_public
-A INPUT_ZONES -i vethc67af6b2 -g IN_public
-A INPUT_ZONES -i wlp2s0 -g IN_public
-A INPUT_ZONES -i veth1c04a137 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_pre
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -j IN_public_post
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Thu Mar 4 13:26:16 2021
Before this issue happened Iāve installed cloud-init via apt. And it worked fine, before Iāve rebooted the laptop.
Please show output of lxc info | grep 'firewall:'
lxc info | grep 'firewall:'
firewall: nftables
Ah so youāre using nftables, so sudo apt install nftables -y and then sudo nft list ruleset.
Is it working with ufw disabled btw?
1 Like
But this line is going to be causing problems, any ideas whatās adding that to your firewall (its not LXD).
Because although LXD is using nftables, its likely that iptables is actually using nftables too, and any reject or drop statements added in a netfilter chain that LXD doesnāt know about will still be evaluated even if LXDās own rules say to accept the inbound DHCP/DNS packets. This is a rather unfortunate behaviour of nftables, compared to iptables, that any reject or drop in any other chain will cause the packet to be rejected/dropped even if its already been accepted by an earlier chain in a different netfilter hook.
See Upgraded to Ubuntu 20.10, now no ipv4 - #7 by tomp
So you need to ensure that no rules generated by your other firewalls would cause LXDās traffic to be dropped.
See Lxd bridge doesn't work with IPv4 and UFW with nftables - #17 by tomp for a way to instruct ufw to allow lxdbr0 traffic.
2 Likes
Thank you!!!
Iāve removed this line from iptables, restarted snap.lxd.daemon.service and it works!
So I need to find what puts this line in iptables for ipv4 work cross reboots, or install iptables-persistent.
I had a similar problem: all my containers had lost network connectivity. After removing ufw package and rebooting, everything is working again.
1 Like
Thank you. I just solved the problem.
I am using VestaCP / CentOS 7.
I just realized that my containersā ipv4 disappeared after changing firewall rules in VestaCP. Possibly VestaCP removed some iptables rules which generated by LXD.
The temporary solution is re-adding the rules by restarting the lxd daemon. And then, connect the network again.
service snap.lxd.daemon.service restart
lxc exec <container name> bash
ifup eth0
1 Like