A PR was merged yesterday (due in LXD 4.10) that allows you to set security.port_isolation=true on a bridged NIC device, which will prevent it communicating with any other instances that also have the same setting enabled.
Keep in mind this will still allow the instances to communicate with the host (and any external interfaces added to the bridge).
You can try it now by using snap refresh lxd --channel=latest/edge however be aware that this is an edge release so can have more bugs in it, and if there is a DB schema change you won’t be able to downgrade, so best to use it on a separate test system.
So the first error you got was because the nic device doesn’t exist in the container, and only in the profile.
Editing the profile is fine, but if you did want to only apply this setting to a specific container then you can copy the device config from the profile into the container and modify it in a single command using the override command, e.g.
However whether editing the profile or editing the container’s device config, you’ll get the same error as it appears the port isolation feature isn’t supported on your host currently.
As you’re running Ubuntu Focal, it should work, and indeed does work on my system. However I’ve just now managed to reproduce the issue in a VM running the snap, so I’m wondering if this is some sort of race condition inside the Linux bridging subsystem or packaging issue.
So I can only reproduce this when using the snap package. I think it may be because the LXD snap package still uses the core18 base package, and so the version of the ip tool is likely to be older than in core20 Focal base package.
I’ve confirmed that the man page for bridge command in bionic doesn’t mention “isolated” mode at all.
@stgraber does this sounds feasible, is anything blocking us from moving to core20 yet?