Help! Accidentally deleted chain `lxd_nic_lxdbr0'

ben · July 29, 2022, 11:06am

I had csf firewall installed because I didn’t know that lxd acts as a firewall so then I uninstalled csf and csf did this:

Flushing chain lxd_nic_lxdbr0' Deleting chain ALLOWIN’
Deleting chain ALLOWOUT' Deleting chain DENYIN’
Deleting chain DENYOUT' Deleting chain INVALID’
Deleting chain INVDROP' Deleting chain LOCALINPUT’
Deleting chain LOCALOUTPUT' Deleting chain LOGDROPIN’
Deleting chain LOGDROPOUT' Deleting chain lxd_nic_lxdbr0’

I tried lxd init

Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: no
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: no
Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]: yes
Name of the existing bridge or host interface: lxdbr0
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
Error: Failed to update profile "default": Device validation failed for "eth0": Cannot use "nictype" property in conjunction with "network" property

I tried lxc network create lxdbr0
Error: The network already exists

lxc list still shows all of my containers are still there but my main site will no-longer load ERR_SSL_PROTOCOL_ERROR just because csf destroyed lxd_nic_lxdbr0

Please, how do I get it back?

ben · July 29, 2022, 11:11am

lxc version
Client version: 5.3
Server version: 5.3

lxc network list

+--------+----------+---------+----------------+---------------------------+-------------+---------+---------+
|  NAME  |   TYPE   | MANAGED |      IPV4      |           IPV6            | DESCRIPTION | USED BY |  STATE  |
+--------+----------+---------+----------------+---------------------------+-------------+---------+---------+
| eno1   | physical | NO      |                |                           |             | 0       |         |
+--------+----------+---------+----------------+---------------------------+-------------+---------+---------+
| eno2   | physical | NO      |                |                           |             | 0       |         |
+--------+----------+---------+----------------+---------------------------+-------------+---------+---------+
| eno3   | physical | NO      |                |                           |             | 0       |         |
+--------+----------+---------+----------------+---------------------------+-------------+---------+---------+
| eno4   | physical | NO      |                |                           |             | 0       |         |
+--------+----------+---------+----------------+---------------------------+-------------+---------+---------+
| lxdbr0 | bridge   | YES     | 10.103.26.1/24 | fd42:1262:cae8:136d::1/64 |             | 19      | CREATED |
+--------+----------+---------+----------------+---------------------------+-------------+---------+---------+

ben · July 29, 2022, 12:09pm

I’m guessing lxc init with the default networking suggestions should have made some iptables rules with /* generated for LXD network lxdbr0 */ based on what I’ve seen in other peoples questions.

my iptables:

iptables -L -n -v
Chain INPUT (policy ACCEPT 1664K packets, 141M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 19677 packets, 5501K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1612K packets, 214M bytes)
 pkts bytes target     prot opt in     out     source               destination

(^ looks blank?)

It there a way to trigger it to reload the default rules for LXD?

systemctl restart snap.lxd.daemon and snap restart lxd makes no change

cemzafer · July 29, 2022, 12:21pm

Hi,
Can you check the firewall type with the lxc info | grep -i firewall?
Regards.

ben · July 29, 2022, 12:27pm

lxc info | grep -i firewall

network_firewall_filtering
firewall_driver
firewall: nftables

nft list tables

Command ‘nft’ not found, but can be installed with:

apt install nftables

nftables
nftables: command not found

ben · July 29, 2022, 12:42pm

I’m not sure how to restore what csf removed.
I’m sure what it removed.
I know that when I did lxd init I chose all default things.

cemzafer · July 29, 2022, 12:46pm

What is the output of sudo nft list ruleset?
Regards.

tomp · July 29, 2022, 12:49pm

If you restart LXD it will recreate the firewall rules.
sudo systemctl reload snap.lxd.daemon

ben · July 29, 2022, 12:50pm

nft list ruleset

Command 'nft' not found, but can be installed with:

apt install nftables

so I installed it and ran the command and now my website works again!!

Thank you!

ben · July 29, 2022, 12:52pm

no If you read above I tried that myself through trying everything I could find and it did nothing, thanks.

tomp · July 29, 2022, 1:19pm

What does lxc info | grep firewall:
show?

ben · July 29, 2022, 1:21pm

it’s been solved above