LXC default networking is not working anymore with docker

Hello,

I have switched to a new network location, and my containers are not connected anymore over lxdbr0.

Containers that have macvlan networking work, but the default networking over lxdbr0 stopped working. I have searched this previous questions and there is something about docker blocking lxc’s networking. (although docker was installed from the beginning, lxc and docker coexisted for a while before this stuck)

Here is my iptables -L -n -v

Chain INPUT (policy ACCEPT 420K packets, 609M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 942 packets, 60440 bytes)
pkts bytes target prot opt in out source destination
942 60440 DOCKER-USER all – * * 0.0.0.0/0 0.0.0.0/0
942 60440 DOCKER-ISOLATION-STAGE-1 all – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all – * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – docker0 docker0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 198K packets, 13M bytes)
pkts bytes target prot opt in out source destination

Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all – docker0 !docker0 0.0.0.0/0 0.0.0.0/0
942 60440 RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
942 60440 RETURN all – * * 0.0.0.0/0 0.0.0.0/0

Best Regards,
C.

The default policy of DROP on the forward chain is what docker enables and is commonly causing lxd network issues for bridges. There’s is a page on the docker site about the default drop policy.

That page also mentions a way to stop docker altering iptables which would be worth a try.