MASQUERADE rule added by lxc

The rule goes as follows:

iptables -t nat -A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE

Why the ! -d 10.0.3.0/24 part? I thought it’s to suppress NAT for intercontainer communication, but:

iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -j MASQUERADE

makes no visible difference. I run

tcpdump icmp

in one container (10.0.3.1),

ping -c 10.0.3.2

in the other one (10.0.3.2). And tcpdump says:

10.0.3.2

It is to prevent NAT from affecting inter-container traffic.

By default iptables does not trigger on traffic between bridge members, but it’s something that can be enabled system-wide, in which case that part of the rule becomes quite useful.