I’m looking for an optimal way to handle firewall configuration for the container owned interfaces (i’e the interfaces which are visible only on the container scope and not on the host) from host perspective.
Basically, the firewall module which is responsible for firewall configuration will be running on host context and need to take care of firewall configuration for the interfaces on the container context.
My current option is to use "ip netns exec iptables " from host scope to configure firewall at container scope.
Is this the optimal solution to go? or do we have something better to achieve my use case?.
Please share your inputs.
Unless you can guarantee that nothing outside of your control will ever run as root in the container or that you’ve stripped root of its privileges, I wouldn’t recommend your current approach. That’s because root in the container can then very simply change the firewall rules or just flush them.
Assuming you’re using a veth pair, you could instead apply the firewall rules on the host side part of the pair, the result would be the same (with to/from reversed though) and the container wouldn’t be able to interfere with the rules.
lxc-info will let you query the name of that device