Lxd uses iptables-legacy even if iptables-nft is default

skybert · April 21, 2021, 3:00pm

root@quanah ~ # iptables-save 
# Generated by xtables-save v1.8.2 on Wed Apr 21 16:58:09 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.1.1/32 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3142 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8899 -j ACCEPT
-A INPUT -p udp -m multiport --dports 60000:61000 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Wed Apr 21 16:58:09 2021
# Generated by xtables-save v1.8.2 on Wed Apr 21 16:58:09 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Apr 21 16:58:09 2021
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

Doing what it says on the last line gives:

root@quanah ~ # iptables-legacy-save 
# Generated by iptables-save v1.8.2 on Wed Apr 21 16:59:32 2021
*raw
:PREROUTING ACCEPT [1318705:1086631838]
:OUTPUT ACCEPT [819567:250366631]
COMMIT
# Completed on Wed Apr 21 16:59:32 2021
# Generated by iptables-save v1.8.2 on Wed Apr 21 16:59:32 2021
*mangle
:PREROUTING ACCEPT [282:96565]
:INPUT ACCEPT [282:96565]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [270:44494]
:POSTROUTING ACCEPT [302:48734]
-A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Apr 21 16:59:32 2021
# Generated by iptables-save v1.8.2 on Wed Apr 21 16:59:32 2021
*nat
:PREROUTING ACCEPT [36:14440]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [68:5052]
:POSTROUTING ACCEPT [65:4590]
-A POSTROUTING -s 10.107.206.0/24 ! -d 10.107.206.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE
COMMIT
# Completed on Wed Apr 21 16:59:32 2021
# Generated by iptables-save v1.8.2 on Wed Apr 21 16:59:32 2021
*filter
:INPUT ACCEPT [282:96565]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [270:44494]
-A INPUT -i lxdbr0 -p tcp -m tcp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A INPUT -i lxdbr0 -p udp -m udp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A INPUT -i lxdbr0 -p udp -m udp --dport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A FORWARD -o lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A FORWARD -i lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -o lxdbr0 -p tcp -m tcp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -o lxdbr0 -p udp -m udp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
-A OUTPUT -o lxdbr0 -p udp -m udp --sport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT
COMMIT
# Completed on Wed Apr 21 16:59:32 2021