I found the following issues: despite the enabled NAT on the LXD hosts, all VMs and containers are still accessible from local network. Let’s imagine the following network topology:
Switch
+-----------------+
| |
| O O O O O O O O |
| |
+----+-------+----+
| |
| |
192.168.1.2 | | 192.168.1.3
+--------------+ | | +-------------------------------------+
| | | | | |
| Hacker +----+ | | LXD Host |
| | | | |
+--------------+ | | |
| | 192.168.130.2 192.168.130.3 |
+----+ +------------+ +------------+ |
| | | | | |
| | VM1 | | VM2 | |
| | | | | |
| +------------+ +------------+ |
| |
| |
+-------------------------------------+
While there is a NAT enabled on the LXD host, the hacker can add a route using the following
command:
$ ip route add 192.168.130.0/24 via 192.168.1.3
$ ping 192.168.130.2
PING 192.168.130.2 (192.168.130.2) 56(84) bytes of data.
64 bytes from 192.168.130.2: icmp_seq=1 ttl=63 time=3.14 ms
64 bytes from 192.168.130.2: icmp_seq=2 ttl=63 time=3.66 ms
64 bytes from 192.168.130.2: icmp_seq=3 ttl=63 time=3.62 ms
64 bytes from 192.168.130.2: icmp_seq=4 ttl=63 time=3.80 ms
and will have full access to all VMs and containers running on LXD host. This issue is reproduced both on LXD and regular LXC containers with lxc-net. Meanwhile, there no such issue for libvirt VMs and Docker containers. Looks like LXD is missing some kind of iptables filter rule.