How is NAT implemented in LXD managed network?

agu · December 12, 2020, 6:34pm

Hi. I have nat enabled on lxdbr0 default network and its working ok. However, I would have expected to find some masquerading among the iptables rules that lxd creates automatically, but couldn’t find any. (LXD runing on debian buster with iptables set to legacy)
I would appreciate it if someone can comment on how Nat is implemented. I would like to understand it and be able to make some custom configurations.
Thanks.

stgraber · December 13, 2020, 3:41am

Can you show lxc info | grep firewall:

LXD uses nft directly when available and when no rules are present in xtables at the time it starts. I suspect that on your system, it is indeed using nft.

agu · December 13, 2020, 11:24pm

Hi Stéphane thanks for your reply.
Lxc info shows the following:

% lxc info | grep -i firewall:
  firewall: xtables

When I installed LXD I switched to iptables-legacy because LXD was using xtables due to kernel version < 5 (Host runs Debian 10 with kernel 4.19).
I checked and nft ruleset is emtpy:

% sudo nft list ruleset
table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 0; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }
}

Output from Iptables and lxc network show is the following:

% sudo iptables -S | grep -i lxd
-A INPUT -i lxdbr0 -p tcp -m tcp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A INPUT -i lxdbr0 -p udp -m udp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A INPUT -i lxdbr0 -p udp -m udp --dport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A FORWARD -o lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A FORWARD -i lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -o lxdbr0 -p tcp -m tcp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -o lxdbr0 -p udp -m udp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -o lxdbr0 -p udp -m udp --sport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT

% lxc network show lxdbr0
config:
  ipv4.address: 10.140.62.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:1a6b:ffad:29df::1/64
  ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/instances/debianc1
- /1.0/instances/ubuntuc1
- /1.0/profiles/default
managed: true
status: Created
locations:
- none

Thanks.

agu · December 14, 2020, 12:41am

Hi,
Sorry after reading my own answer i realized that I was not listing the nat table.
Now it is clear:

% sudo iptables -S -t nat | grep -i lxd
-A POSTROUTING -s 10.140.62.0/24 ! -d 10.140.62.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE

Thanks