Hi,
I installed LXD into my Ubuntu 20.04 by
sudo snap install lxd
sudo lxd init # create bridge lxdbr0
and launched Ubuntu 20.04 container by
sudo lxc launch ubuntu:20.04 focal
sudo lxc exec focal ping <outside ip>
But it failed to ping.
I find that iptables rules are not initiailized.
iptables-save | grep lxdbr0 # No lxdbr0 related rules are found
lxc info | grep -i firewall:
firewall: nftables
sudo nft list ruleset
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname "br-c21941e8d811" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
oifname != "br-c21941e8d811" ip saddr 172.19.0.0/16 counter packets 6 bytes 360 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 16 bytes 804 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
iifname "br-c21941e8d811" oifname != "br-c21941e8d811" counter packets 929 bytes 472940 jump DOCKER-ISOLATION-STAGE-2
counter packets 1416 bytes 593650 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
oifname "br-c21941e8d811" counter packets 0 bytes 0 drop
counter packets 929 bytes 472940 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 1416 bytes 593650 jump DOCKER-USER
counter packets 1416 bytes 593650 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
oifname "br-c21941e8d811" ct state related,established counter packets 487 bytes 120710 accept
oifname "br-c21941e8d811" counter packets 0 bytes 0 jump DOCKER
iifname "br-c21941e8d811" oifname != "br-c21941e8d811" counter packets 929 bytes 472940 accept
iifname "br-c21941e8d811" oifname "br-c21941e8d811" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 1416 bytes 593650 return
}
}
table inet lxd {
chain pstrt.lxdbr0 {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.69.246.0/24 ip daddr != 10.69.246.0/24 masquerade
ip6 saddr fd42:8469:f67b:3303::/64 ip6 daddr != fd42:8469:f67b:3303::/64 masquerade
}
chain fwd.lxdbr0 {
type filter hook forward priority filter; policy accept;
ip version 4 oifname "lxdbr0" accept
ip version 4 iifname "lxdbr0" accept
ip6 version 6 oifname "lxdbr0" accept
ip6 version 6 iifname "lxdbr0" accept
}
chain in.lxdbr0 {
type filter hook input priority filter; policy accept;
iifname "lxdbr0" tcp dport 53 accept
iifname "lxdbr0" udp dport 53 accept
iifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
iifname "lxdbr0" udp dport 67 accept
iifname "lxdbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
iifname "lxdbr0" udp dport 547 accept
}
chain out.lxdbr0 {
type filter hook output priority filter; policy accept;
oifname "lxdbr0" tcp sport 53 accept
oifname "lxdbr0" udp sport 53 accept
oifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
oifname "lxdbr0" udp sport 67 accept
oifname "lxdbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
oifname "lxdbr0" udp sport 547 accept
}
}
How to solve it ?
Regards,
Like