I usually use unmanaged bridges on my lxd hosts, but would like to implement IP address filtering (as per Security | LXD - I’m using the 4.0 stable branch, but wasn’t sure what the canonical URL was for the 4.0 docs).
I tried to do this:
lxc config device set mycontainer eth1 security.ipv4_filtering=true
… but this doesn’t work on an unmanaged bridge (although
security.mac_filtering=true does, and I can set an
ipv4.address for a container nic which is connected to an unmanaged bridge).
I currently use an unmanaged bridge so that I can implement physical machines (both lxd and non-lxd hosts, and containers) on the same Ethernet segment, without NAT.
If instead I set up the network as managed (to allow lxd to create the bridge and assign the local IP address), and add the lxd host’s external NIC to the bridge using
bridge.external_interfaces, things more or less work, but I’m unable to set a gateway (ipv4 default route) for the lxd host itself. It doesn’t use the
ipv4.dhcp.gateway key to set the gateway IP address for the lxd host (neither does
ipv4.routes allow specifying a gateway host).
Also, I’m concerned that an external DHCP server would be able to answer queries from containers - looking at the iptables rules, if the lxd managed bridge dhcp functionality is enabled, I can’t see any rules which would block DHCP traffic on the