No its not normal, but then nor is your ruleset, you’ve got a mix of libvirt and ufw rules in there, and either one of them could have set that.
Not worked for me. Container can’t be started at all with such profile:
Name: net-test-01
Location: none
Remote: unix://
Architecture: x86_64
Created: 2021/04/03 21:41 UTC
Status: Stopped
Type: container
Profiles: default, net-01-ramesses
Log:
lxc net-test-01 20210403232713.311 WARN cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1129 - File exists - Failed to create directory "/sys/fs/cgroup/cpuset//lxc.monitor.net-test-01"
lxc net-test-01 20210403232713.312 WARN cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1129 - File exists - Failed to create directory "/sys/fs/cgroup/cpuset//lxc.payload.net-test-01"
lxc net-test-01 20210403232713.317 ERROR network - network.c:lxc_setup_l2proxy:2924 - File exists - Failed to add ipv4 dest "192.168.1.200" for network device "lo"
lxc net-test-01 20210403232713.317 ERROR network - network.c:lxc_create_network_priv:3064 - File exists - Failed to setup l2proxy
lxc net-test-01 20210403232713.317 ERROR start - start.c:lxc_spawn:1786 - Failed to create the network
lxc net-test-01 20210403232713.317 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:860 - Received container state "ABORTING" instead of "RUNNING"
lxc net-test-01 20210403232713.318 ERROR start - start.c:__lxc_start:1999 - Failed to spawn container "net-test-01"
lxc net-test-01 20210403232713.318 WARN start - start.c:lxc_abort:1013 - No such process - Failed to send SIGKILL via pidfd 31 for process 3348791
lxc 20210403232713.795 WARN commands - commands.c:lxc_cmd_rsp_recv:126 - Connection reset by peer - Failed to receive response for command "get_state"
I appear to have the same setup, and same issue. Not clear to me how to change the default FORWARD chain policy from DROP (and what to change it to )??
Hi,
You can list the iptable rules with iptables -S
and change the FORWARD policy rule as the following command.
iptables -P FORWARD ACCEPT
Regards.
Thanks. I used the following which seems to have worked also.
ufw default allow routed