How do we manage lxc-net? it's stepping on my dnsmasq and firewall rules

Hi all, I’m new here. I’m having a lot of trouble figuring out lxc-net.

First, no man page for lxc-net? DOH!

Second, I figured out that I can create a separate dnsmasq.conf file (I put it in /etc/lxc) and configure the dnsmasq process that lxc-net insists on running, so I was able to get take care of dns conflicts. This is a router, that also runs dnsmasq. I finally got the lxc-net dhcp to assign static IP addresses to unprivileged containers, since it won’t let me assign them either at the host and/or container level, I tried everywhere.

The problem I’m having now is lxc-net is injecting iptables rules into my firewall, then complaining about it DOH! I’m guessing there is NO WAY to tell lxc-net to keep it’s paws off my iptables? At least docker has an option to disable it’s meddling with interfaces and iptables.

Jun 23 15:07:18 gwr01 lxc-net[2308]: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 23 15:07:18 gwr01 systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE

Nothing wrong with my firewall rules, until lxc-net messes with them. I’m not going to bastardize my router’s iptables rules, to accommodate lxc-net injecting rules. This is a show stopper.

I’d appreciate any suggestions at this point. Maybe replace lxc-net with some other bridge? Linux bridge, or the virsh? bridge, maybe they don’t require iptables injecting?


In /etc/default/lxc-net you can set USE_LXC_BRIDGE="false" which disables the bridge setup and firewall rules I believe. Leaving you to be able to manually configure the bridge, dnsmasq and firewall rules.