How do we manage lxc-net? it's stepping on my dnsmasq and firewall rules

Hi all, I’m new here. I’m having a lot of trouble figuring out lxc-net.

First, no man page for lxc-net? DOH!

Second, I figured out that I can create a separate dnsmasq.conf file (I put it in /etc/lxc) and configure the dnsmasq process that lxc-net insists on running, so I was able to get take care of dns conflicts. This is a router, that also runs dnsmasq. I finally got the lxc-net dhcp to assign static IP addresses to unprivileged containers, since it won’t let me assign them either at the host and/or container level, I tried everywhere.

The problem I’m having now is lxc-net is injecting iptables rules into my firewall, then complaining about it DOH! I’m guessing there is NO WAY to tell lxc-net to keep it’s paws off my iptables? At least docker has an option to disable it’s meddling with interfaces and iptables.

Jun 23 15:07:18 gwr01 lxc-net[2308]: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 23 15:07:18 gwr01 systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE

Nothing wrong with my firewall rules, until lxc-net messes with them. I’m not going to bastardize my router’s iptables rules, to accommodate lxc-net injecting rules. This is a show stopper.

I’d appreciate any suggestions at this point. Maybe replace lxc-net with some other bridge? Linux bridge, or the virsh? bridge, maybe they don’t require iptables injecting?

Thanks

In /etc/default/lxc-net you can set USE_LXC_BRIDGE="false" which disables the bridge setup and firewall rules I believe. Leaving you to be able to manually configure the bridge, dnsmasq and firewall rules.

If you wish to use both lxc-net and firewalld, you can. Even if you use USE_LXC_BRIDGE="true" (which is the default). The firewall rules added by lxc-net take care of IP masquerading, which is useful. So we leave those alone. We just need to tell firewalld to accept traffic from the container(s). Here’s how:

$ firewall-cmd --permanent --new-zone=my-containers

$ firewall-cmd --permanent --zone=my-containers --add-interface=lxcbr0

$ firewall-cmd --permanent --zone=my-containers --set-target=ACCEPT

# Reload firewall rules from disk. WARNING: Earlier runtime changes will be lost.
$ firewall-cmd --reload