Bloody hell, it was the firewall!
- Since I didn’t use DHCP prior, I had never thought about BOOTP traffic before!
- Moving my LXD experiments from my workstation to an (internet connected) server, I forgot to adapt the rules accordingly, punch the right holes through etc.
- Make sure to give yourself ample rest, productivity tanks and errors skyrocket when overworked.
I now have LXD related rules along those lines:
define lxd_bridge = "lxdbr0"
define lxd_subnet_ip = 10.100.0.0/24
define lxd_subnet_ip6 = fd42:abbe:1234:5678::1/64
table inet Filter {
chain In {
type filter hook input priority 0; policy drop
(…)
# DHCP (crucial line below, totally new to me)
iifname $lxd_bridge ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp dport bootps accept
iifname $lxd_bridge ip6 saddr fe80::/64 accept
# DNS
iifname $lxd_bridge ip saddr $lxd_subnet_ip udp dport domain accept
iifname $lxd_bridge ip saddr $lxd_subnet_ip tcp dport domain accept
}
}
table ip Nat4 {
chain Pre {
type nat hook prerouting priority 0
}
chain Post {
type nat hook postrouting priority 0
ip saddr $lxd_subnet_ip ip daddr != $lxd_subnet_ip masquerade
}
}
table ip6 Nat6 {
chain Pre {
type nat hook prerouting priority 0
}
chain Post {
type nat hook postrouting priority 0
ip6 saddr $lxd_subnet_ip6 ip6 daddr != $lxd_subnet_ip6 masquerade
}
}
Now the containers acquire IPs, automatically set their nameservers to the bridge IP (where Dnsmasq listens), and generally behave in a more predictable way.
I’ll also move away from manual IP assignment for good now, unless a special case requires it.
Thanks a lot @gpatel-fr and @tomp for the help here and in the other thread!
Edit: Fixed IPv6 DHCP, now SLAAC is fast as well.