Lxd uses iptables-legacy even if iptables-nft is default

Hi there,

sorry to say, but my containers are again without an IP. What I have done, is to switch from iptables-legacy to iptables-nft and I’ve restarted the computer (several times).

My system should AFAICT use the newer nft commands:

root@quanah ~ # ls /etc/alternatives/ip*
lrwxrwxrwx 1 root root 23 Apr 20 13:49 /etc/alternatives/ip6tables -> /usr/sbin/ip6tables-nft
lrwxrwxrwx 1 root root 31 Apr 20 13:49 /etc/alternatives/ip6tables-restore -> /usr/sbin/ip6tables-nft-restore
lrwxrwxrwx 1 root root 28 Apr 20 13:49 /etc/alternatives/ip6tables-save -> /usr/sbin/ip6tables-nft-save
lrwxrwxrwx 1 root root 22 Apr  8 10:11 /etc/alternatives/iptables -> /usr/sbin/iptables-nft
lrwxrwxrwx 1 root root 30 Apr  8 10:11 /etc/alternatives/iptables-restore -> /usr/sbin/iptables-nft-restore
lrwxrwxrwx 1 root root 27 Apr  8 10:11 /etc/alternatives/iptables-save -> /usr/sbin/iptables-nft-save

However, I see that the lxd rules have been set up using iptables-legacy (after restarting snap and lxd, have also tried rebooting the computer):

root@quanah ~ # iptables-legacy -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps /* generated for LXD network lxdbr0 */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps /* generated for LXD network lxdbr0 */

My other firewall rules are shown when using iptables -L and iptables-nft -L.

What am I missing here?

I don’t know if this is what’s causing my containers to not get an IP, but it seems odd to me.

tcpdump

Running dhcp -v eth0 inside the container shows this on the host machine:

root@quanah ~ # tcpdump -i lxdbr0
listening on lxdbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:29:35.964184 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:c8:ad:28 (oui Unknown), length 300
16:29:38.627124 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:c8:ad:28 (oui Unknown), length 300
16:29:44.043561 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:c8:ad:28 (oui Unknown), length 300
16:29:55.192863 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:c8:ad:28 (oui Unknown), length 300
16:30:08.202171 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:c8:ad:28 (oui Unknown), length 300
16:30:08.805536 IP 10.107.206.1.47592 > 239.255.255.250.1900: UDP, length 171
16:30:09.085949 IP 10.107.206.1.52273 > 239.255.255.250.1900: UDP, length 167
16:30:09.806259 IP 10.107.206.1.47592 > 239.255.255.250.1900: UDP, length 171
16:30:10.087470 IP 10.107.206.1.52273 > 239.255.255.250.1900: UDP, length 167
16:30:10.807063 IP 10.107.206.1.47592 > 239.255.255.250.1900: UDP, length 171
16:30:11.089015 IP 10.107.206.1.52273 > 239.255.255.250.1900: UDP, length 167
16:30:11.807837 IP 10.107.206.1.47592 > 239.255.255.250.1900: UDP, length 171
16:30:12.090665 IP 10.107.206.1.52273 > 239.255.255.250.1900: UDP, length 167
16:30:15.476240 IP6 fd42:71d3:6e74:8047:216:3eff:fec8:ad28.43748 > fd42:71d3:6e74:8047::1.domain: 49838+ [1au] A? api.snapcraft.io. (45)
16:30:15.477106 IP6 fd42:71d3:6e74:8047:216:3eff:fec8:ad28.59171 > fd42:71d3:6e74:8047::1.domain: 44200+ [1au] AAAA? api.snapcraft.io. (45)
16:30:15.486629 IP6 fd42:71d3:6e74:8047::1.domain > fd42:71d3:6e74:8047:216:3eff:fec8:ad28.43748: 49838 6/0/1 A 91.189.92.40, A 91.189.92.41, A 91.189.92.19, A 91.189.92.20, A 91.189.92.38, A 91.189.92.39 (141)
16:30:15.564224 IP6 fd42:71d3:6e74:8047::1.domain > fd42:71d3:6e74:8047:216:3eff:fec8:ad28.59171: 44200 0/1/1 (109)
16:30:15.976591 IP6 fd42:71d3:6e74:8047:216:3eff:fec8:ad28.52543 > fd42:71d3:6e74:8047::1.domain: 40676+ [1au] AAAA? api.snapcraft.io. (45)
16:30:15.976810 IP6 fd42:71d3:6e74:8047::1.domain > fd42:71d3:6e74:8047:216:3eff:fec8:ad28.52543: 40676 0/0/1 (45)
16:30:17.226804 IP6 fd42:71d3:6e74:8047:216:3eff:fec8:ad28.36730 > fd42:71d3:6e74:8047::1.domain: 41852+ [1au] AAAA? api.snapcraft.io. (45)
16:30:17.227169 IP6 fd42:71d3:6e74:8047::1.domain > fd42:71d3:6e74:8047:216:3eff:fec8:ad28.36730: 41852 0/0/1 (45)
16:30:19.697933 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:c8:ad:28 (oui Unknown), length 300
16:30:20.351641 IP6 fd42:71d3:6e74:8047:216:3eff:fec8:ad28.37869 > fd42:71d3:6e74:8047::1.domain: 36766+ [1au] AAAA? api.snapcraft.io. (45)
16:30:20.351880 IP6 fd42:71d3:6e74:8047::1.domain > fd42:71d3:6e74:8047:216:3eff:fec8:ad28.37869: 36766 0/0/1 (45)
16:30:20.683421 IP6 fe80::216:3eff:fed0:93 > fd42:71d3:6e74:8047:216:3eff:fec8:ad28: ICMP6, neighbor solicitation, who has fd42:71d3:6e74:8047:216:3eff:fec8:ad28, length 32
16:30:20.683489 IP6 fe80::216:3eff:fec8:ad28 > fd42:71d3:6e74:8047::1: ICMP6, neighbor solicitation, who has fd42:71d3:6e74:8047::1, length 32
16:30:20.683620 IP6 fd42:71d3:6e74:8047::1 > fe80::216:3eff:fec8:ad28: ICMP6, neighbor advertisement, tgt is fd42:71d3:6e74:8047::1, length 24
16:30:20.683578 IP6 fd42:71d3:6e74:8047:216:3eff:fec8:ad28 > fe80::216:3eff:fed0:93: ICMP6, neighbor advertisement, tgt is fd42:71d3:6e74:8047:216:3eff:fec8:ad28, length 24
16:30:24.806317 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:c8:ad:28 (oui Unknown), length 287
16:30:25.803391 IP6 fe80::216:3eff:fed0:93 > fe80::216:3eff:fec8:ad28: ICMP6, neighbor solicitation, who has fe80::216:3eff:fec8:ad28, length 32
16:30:25.803480 IP6 fe80::216:3eff:fec8:ad28 > fe80::216:3eff:fed0:93: ICMP6, neighbor solicitation, who has fe80::216:3eff:fed0:93, length 32
16:30:25.803991 IP6 fe80::216:3eff:fed0:93 > fe80::216:3eff:fec8:ad28: ICMP6, neighbor advertisement, tgt is fe80::216:3eff:fed0:93, length 24
16:30:25.803935 IP6 fe80::216:3eff:fec8:ad28 > fe80::216:3eff:fed0:93: ICMP6, neighbor advertisement, tgt is fe80::216:3eff:fec8:ad28, length 24
16:30:28.164320 IP6 fd42:71d3:6e74:8047:216:3eff:fec8:ad28.49645 > fd42:71d3:6e74:8047::1.domain: 15173+ [1au] AAAA? api.snapcraft.io. (45)
16:30:28.164554 IP6 fd42:71d3:6e74:8047::1.domain > fd42:71d3:6e74:8047:216:3eff:fec8:ad28.49645: 15173 0/0/1 (45)
16:30:31.021328 IP 10.107.206.1.mdns > 224.0.0.251.mdns: 0 PTR (QM)? _spotify-connect._tcp.local. (45)
16:30:32.869782 IP 10.107.206.1.55286 > 239.255.255.250.1900: UDP, length 125
16:30:37.636731 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:16:3e:c8:ad:28 (oui Unknown), length 300

DNS server

There’s only one DNS server process and I’ve verified this is the one running as lxd:

root@quanah ~ # netstat -nlp | grep -w 53
tcp        0      0 10.107.206.1:53         0.0.0.0:*               LISTEN      19585/dnsmasq       
tcp6       0      0 fd42:71d3:6e74:8047::53 :::*                    LISTEN      19585/dnsmasq       
udp        0      0 10.107.206.1:53         0.0.0.0:*                           19585/dnsmasq       
udp6       0      0 fd42:71d3:6e74:8047::53 :::*                                19585/dnsmasq

Versions

~ $ snap --version
snap    2.49.2
snapd   2.49.2
series  16
debian  10
kernel  4.19.0-16-amd64
~ $ lxd --version 
4.13

Any help would be much appreciated.

Can you enable LXD debug mode and reload LXD using:

sudo snap set lxd daemon.debug=true; sudo systemctl reload snap.lxd.daemon

Then look in /var/snap/lxd/common/lxd/logs/lxd.log for the line “Firewall loaded driver”, there may be some additional info the line above that with the reason the specific driver was picked over others.

Can you also provide output of iptables-save as it may be that there’s an existing rules in another table you’ve not wiped out that is causing LXD to think iptables is in use and causing it to use it.

After enabling debug, /var/snap/lxd/common/lxd/logs/lxd.log shows:

t=2021-04-21T16:10:06+0200 lvl=info msg="LXD 4.13 is starting in normal mode" path=/var/snap/lxd/common/lxd
t=2021-04-21T16:10:06+0200 lvl=info msg="Kernel uid/gid map:" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - u 0 0 4294967295" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - g 0 0 4294967295" 
t=2021-04-21T16:10:06+0200 lvl=info msg="Configured LXD uid/gid map:" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - u 0 1000000 1000000000" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - g 0 1000000 1000000000" 
t=2021-04-21T16:10:06+0200 lvl=info msg="Kernel features:" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - closing multiple file descriptors efficiently: no" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - netnsid-based network retrieval: no" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - pidfds: no" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - uevent injection: yes" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - seccomp listener: no" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - seccomp listener continue syscalls: no" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - seccomp listener add file descriptors: no" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - attach to namespaces via pidfds: no" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - safe native terminal allocation : yes" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - unprivileged file capabilities: yes" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - cgroup layout: hybrid" 
t=2021-04-21T16:10:06+0200 lvl=warn msg=" - Couldn't find the CGroup hugetlb controller, hugepage limits will be ignored" 
t=2021-04-21T16:10:06+0200 lvl=warn msg=" - Couldn't find the CGroup memory swap accounting, swap limits will be ignored" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - shiftfs support: disabled" 
t=2021-04-21T16:10:06+0200 lvl=info msg="Initializing local database" 
t=2021-04-21T16:10:06+0200 lvl=info msg="Starting /dev/lxd handler:" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - binding devlxd socket" socket=/var/snap/lxd/common/lxd/devlxd/sock
t=2021-04-21T16:10:06+0200 lvl=info msg="REST API daemon:" 
t=2021-04-21T16:10:06+0200 lvl=info msg=" - binding Unix socket" inherited=true socket=/var/snap/lxd/common/lxd/unix.socket
t=2021-04-21T16:10:06+0200 lvl=info msg=" - binding TCP socket" socket=[::]:8443
t=2021-04-21T16:10:06+0200 lvl=info msg="Initializing global database" 
t=2021-04-21T16:10:06+0200 lvl=info msg="Firewall loaded driver \"xtables\""
root@quanah ~ # iptables-save 
# Generated by xtables-save v1.8.2 on Wed Apr 21 16:58:09 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.1.1/32 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3142 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8899 -j ACCEPT
-A INPUT -p udp -m multiport --dports 60000:61000 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Wed Apr 21 16:58:09 2021
# Generated by xtables-save v1.8.2 on Wed Apr 21 16:58:09 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Apr 21 16:58:09 2021
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

Doing what it says on the last line gives:

root@quanah ~ # iptables-legacy-save 
# Generated by iptables-save v1.8.2 on Wed Apr 21 16:59:32 2021
*raw
:PREROUTING ACCEPT [1318705:1086631838]
:OUTPUT ACCEPT [819567:250366631]
COMMIT
# Completed on Wed Apr 21 16:59:32 2021
# Generated by iptables-save v1.8.2 on Wed Apr 21 16:59:32 2021
*mangle
:PREROUTING ACCEPT [282:96565]
:INPUT ACCEPT [282:96565]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [270:44494]
:POSTROUTING ACCEPT [302:48734]
-A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Apr 21 16:59:32 2021
# Generated by iptables-save v1.8.2 on Wed Apr 21 16:59:32 2021
*nat
:PREROUTING ACCEPT [36:14440]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [68:5052]
:POSTROUTING ACCEPT [65:4590]
-A POSTROUTING -s 10.107.206.0/24 ! -d 10.107.206.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
COMMIT
# Completed on Wed Apr 21 16:59:32 2021
# Generated by iptables-save v1.8.2 on Wed Apr 21 16:59:32 2021
*filter
:INPUT ACCEPT [282:96565]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [270:44494]
-A INPUT -i lxdbr0 -p tcp -m tcp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A INPUT -i lxdbr0 -p udp -m udp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A INPUT -i lxdbr0 -p udp -m udp --dport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A FORWARD -o lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A FORWARD -i lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -o lxdbr0 -p tcp -m tcp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -o lxdbr0 -p udp -m udp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -o lxdbr0 -p udp -m udp --sport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
COMMIT
# Completed on Wed Apr 21 16:59:32 2021

OK so make sure all LXD rules are removed from iptables (and ip6tables) legacy, and then reload LXD should get it to use nftables.

I reset everything with:

for ipt in iptables iptables-legacy ip6tables ip6tables-legacy; do $ipt --flush; $ipt --flush -t nat; $ipt --delete-chain; $ipt --delete-chain -t nat; $ipt -P FORWARD ACCEPT; $ipt -P INPUT ACCEPT; $ipt -P OUTPUT ACCEPT; done

The firewall rules now looked like:

root@quanah ~ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@quanah ~ # iptables-legacy -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The iptables-saves now looked like:

root@quanah ~ # ip6tables-save 
# Generated by xtables-save v1.8.2 on Wed Apr 21 19:38:26 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Apr 21 19:38:26 2021
# Generated by xtables-save v1.8.2 on Wed Apr 21 19:38:26 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Apr 21 19:38:26 2021
# Warning: ip6tables-legacy tables present, use ip6tables-legacy-save to see them
root@quanah ~ # iptables-legacy-save # Generated by iptables-save v1.8.2 on Wed Apr 21 19:40:33 2021
*raw
:PREROUTING ACCEPT [1328069:1094803195]
:OUTPUT ACCEPT [829635:252833956]
COMMIT
# Completed on Wed Apr 21 19:40:33 2021
# Generated by iptables-save v1.8.2 on Wed Apr 21 19:40:33 2021
*mangle
:PREROUTING ACCEPT [9646:8267922]
:INPUT ACCEPT [9646:8267922]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10338:2511819]
:POSTROUTING ACCEPT [10552:2544443]
-A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Apr 21 19:40:33 2021
# Generated by iptables-save v1.8.2 on Wed Apr 21 19:40:33 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Apr 21 19:40:33 2021
# Generated by iptables-save v1.8.2 on Wed Apr 21 19:40:33 2021
*filter
:INPUT ACCEPT [1148:450560]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1422:371179]
COMMIT
# Completed on Wed Apr 21 19:40:33 2021
root@quanah ~ # ip6tables-legacy-save 
# Generated by ip6tables-save v1.8.2 on Wed Apr 21 19:40:40 2021
*raw
:PREROUTING ACCEPT [1289:106194]
:OUTPUT ACCEPT [844:86685]
COMMIT
# Completed on Wed Apr 21 19:40:40 2021
# Generated by ip6tables-save v1.8.2 on Wed Apr 21 19:40:40 2021
*mangle
:PREROUTING ACCEPT [1289:106194]
:INPUT ACCEPT [931:78986]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [844:86685]
:POSTROUTING ACCEPT [1003:106941]
COMMIT
# Completed on Wed Apr 21 19:40:40 2021
# Generated by ip6tables-save v1.8.2 on Wed Apr 21 19:40:40 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Apr 21 19:40:40 2021
# Generated by ip6tables-save v1.8.2 on Wed Apr 21 19:40:40 2021
*filter
:INPUT ACCEPT [1:128]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:128]
COMMIT
# Completed on Wed Apr 21 19:40:40 2021

I then reloaded LXD with:

root@quanah ~ # systemctl reload snap.lxd.daemon

Unfortunetely, LXD still insisted on adding its rules to iptables-legacy:

root@quanah ~ # iptables-legacy -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps /* generated for LXD network lxdbr0 */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps /* generated for LXD network lxdbr0 */

You still had a rule in the mangle table, it needs to be flushed.

That was it!

# iptables --flush -t mangle
# systemctl reload snap.lxd.daemon

did the trick.

Thanks a lot for your help and patience, @tomp :bowing_man:

1 Like