How to stop traffic from being forwarded between lxd managed interfaces

LXD
,
6

I had a quick go at this:

Two LXD managed bridge networks; lxdbr0 and lxdbr1:

lxc network show lxdbr0
config:
  ipv4.address: 10.64.199.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:bafd:ac21:9f::1/64
  ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge

lxc network show lxdbr1
config:
  ipv4.address: 10.174.226.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:97ce:87b9:1a79::1/64
  ipv6.nat: "true"
description: ""
name: lxdbr1
type: bridge

Create two ACLs lxdbr0-deny and lxdbr1-deny1 as follows:

lxc network acl create lxdbr0-deny
lxc network acl rule add lxdbr0-deny ingress \
    source=10.64.199.0/24 \
    action=reject
lxc network acl rule add lxdbr0-deny egress \
    destination=10.64.199.0/24 \
    action=reject

lxc network acl create lxdbr1-deny
lxc network acl rule add lxdbr1-deny ingress \
    source=10.174.226.0/24 \
    action=reject
lxc network acl rule add lxdbr1-deny egress \
    destination=10.174.226.0/24 \
    action=reject

Now apply those to the respective networks and set the default policy:

lxc network set lxdbr0 \
    security.acls.default.egress.action=allow \
    security.acls.default.ingress.action=allow \
    security.acls=lxdbr1-deny

lxc network set lxdbr1 \
    security.acls.default.egress.action=allow \
    security.acls.default.ingress.action=allow \
    security.acls=lxdbr0-deny

Now launch a container in each network:

lxc launch images:alpine/3.16 clxdbr0 -n lxdbr0
lxc launch images:alpine/3.16 clxdbr1 -n lxdbr0
lxc ls
+---------+---------+----------------------+-----------------------------------------------+-----------------+-----------+
|  NAME   |  STATE  |         IPV4         |                     IPV6                      |      TYPE       | SNAPSHOTS |
+---------+---------+----------------------+-----------------------------------------------+-----------------+-----------+
| clxdbr0 | RUNNING | 10.64.199.27 (eth0)  | fd42:bafd:ac21:9f:216:3eff:feaa:dcb6 (eth0)   | CONTAINER       | 0         |
+---------+---------+----------------------+-----------------------------------------------+-----------------+-----------+
| clxdbr1 | RUNNING | 10.174.226.14 (eth0) | fd42:97ce:87b9:1a79:216:3eff:fe56:3adc (eth0) | CONTAINER       | 0         |
+---------+---------+----------------------+-----------------------------------------------+-----------------+-----------+

Check IPv4 traffic is blocked between instances (remember to do same for IPv6 if using it), but external traffic is allowed:

lxc exec clxdbr0 -- ping -c1 -W1 10.174.226.14 
PING 10.174.226.14 (10.174.226.14): 56 data bytes

--- 10.174.226.14 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

lxc exec clxdbr0 -- ping -c1 -W1 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=120 time=18.415 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 18.415/18.415/18.415 ms

lxc exec clxdbr1 -- ping -c1 -W1 10.64.199.27
PING 10.64.199.27 (10.64.199.27): 56 data bytes

--- 10.64.199.27 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

lxc exec clxdbr1 -- ping -c1 -W1 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=120 time=16.192 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 16.192/16.192/16.192 ms