No container IPv4

xtreme · March 6, 2024, 8:17pm

I have recently started to setup LXC containers again, however every container I am making is not being assigned an IPv4 address.
This was happening on Arch Linux and yesterday I decided to switch to Parrot OS as my daily driver, however the same issue is occurring.
/etc/default/lxc-net:

USE_LXC_BRIDGE="false"
LXC_BRIDGE="incusbr0"
LXC_ADDR="10.87.187.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.87.187.2/24"
LXC_DHCP_RANGE="10.87.187.2,10.87.187.254"
LXC_DHCP_MAX="252"

/etc/lxc/default.conf:

lxc.net.0.type = veth
lxc.net.0.link = incusbr0
lxc.net.0.flags = up

lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1

I have tried running:

ufw allow in on incusbr0
ufw route allow in on incusbr0

And the same for lxcbr0 but still no IPv4 is assigned.

I also found another post saying to try adding a static IP so I did the following in the container:

ip addr add 10.87.187.2/24 dev eth0

This worked to get an IP assigned but trying to ping the host did not work and resulted in “Destination Unreachable”.

Output of “lsof -i:53” on host:

COMMAND   PID  USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
dnsmasq 42922 incus    6u  IPv4 1924485      0t0  UDP 10.87.187.1:domain 
dnsmasq 42922 incus    7u  IPv4 1924486      0t0  TCP 10.87.187.1:domain (LISTEN)

Output of “dhclient -v eth0” on the guest:

Internet Systems Consortium DHCP Client 4.4.2b1
Copyright 2004-2019 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/eth0/00:16:3e:07:9f:c5
Sending on   LPF/eth0/00:16:3e:07:9f:c5
Sending on   Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8 (xid=0x6807e312)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 20 (xid=0x6807e312)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 11 (xid=0x6807e312)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 14 (xid=0x6807e312)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8 (xid=0x6807e312)
No DHCPOFFERS received.
No working leases in persistent database - sleeping.

stgraber · March 6, 2024, 9:49pm

I’d still want to look at iptables -L -n -v and nft list ruleset, the ufw bits look fine but there may be something else messing things up (Docker is a prime example of that kind of issue).

xtreme · March 6, 2024, 10:15pm

Here is the output of “iptables -L -n -v”:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  138 34661 ufw-before-logging-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  138 34661 ufw-before-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    9  1503 ufw-after-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-track-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-before-logging-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-before-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-after-logging-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-reject-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ufw-track-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  130 19188 ufw-before-logging-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
  130 19188 ufw-before-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
   20  1232 ufw-after-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
   20  1232 ufw-after-logging-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
   20  1232 ufw-reject-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
   20  1232 ufw-track-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ufw-skip-to-policy-input  17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
    0     0 ufw-skip-to-policy-input  17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
    0     0 ufw-skip-to-policy-input  6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
    0     0 ufw-skip-to-policy-input  6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
    0     0 ufw-skip-to-policy-input  17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ufw-skip-to-policy-input  17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
    9  1503 ufw-skip-to-policy-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ufw-user-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   71  6443 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           
   58 26715 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ufw-logging-deny  0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    9  1503 ufw-not-local  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
    9  1503 ufw-user-input  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   71  6443 ACCEPT     0    --  *      lo      0.0.0.0/0            0.0.0.0/0           
   39 11513 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   20  1232 ufw-user-output  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    9  1503 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  0    --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    9  1503 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   180 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
   17  1052 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  incusbr0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  incusbr1 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  incusbr0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  incusbr1 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

And here is “nft list ruleset”:

# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		counter packets 1149 bytes 179386 jump ufw-before-logging-output
		counter packets 1149 bytes 179386 jump ufw-before-output
		counter packets 68 bytes 7524 jump ufw-after-output
		counter packets 68 bytes 7524 jump ufw-after-logging-output
		counter packets 68 bytes 7524 jump ufw-reject-output
		counter packets 68 bytes 7524 jump ufw-track-output
	}

	chain INPUT {
		type filter hook input priority filter; policy accept;
		counter packets 1246 bytes 358771 jump ufw-before-logging-input
		counter packets 1246 bytes 358771 jump ufw-before-input
		counter packets 100 bytes 16561 jump ufw-after-input
		counter packets 1 bytes 28 jump ufw-after-logging-input
		counter packets 1 bytes 28 jump ufw-reject-input
		counter packets 1 bytes 28 jump ufw-track-input
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		counter packets 0 bytes 0 jump ufw-before-logging-forward
		counter packets 0 bytes 0 jump ufw-before-forward
		counter packets 0 bytes 0 jump ufw-after-forward
		counter packets 0 bytes 0 jump ufw-after-logging-forward
		counter packets 0 bytes 0 jump ufw-reject-forward
		counter packets 0 bytes 0 jump ufw-track-forward
	}

	chain ufw-before-logging-input {
	}

	chain ufw-before-logging-output {
	}

	chain ufw-before-logging-forward {
	}

	chain ufw-before-input {
		iifname "lo" counter packets 276 bytes 18993 accept
		ct state related,established counter packets 868 bytes 322561 accept
		ct state invalid counter packets 0 bytes 0 jump ufw-logging-deny
		ct state invalid counter packets 0 bytes 0 drop
		meta l4proto icmp icmp type destination-unreachable counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type time-exceeded counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type parameter-problem counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type echo-request counter packets 0 bytes 0 accept
		udp sport 67 udp dport 68 counter packets 0 bytes 0 accept
		counter packets 102 bytes 17217 jump ufw-not-local
		ip daddr 224.0.0.251 udp dport 5353 counter packets 0 bytes 0 accept
		ip daddr 239.255.255.250 udp dport 1900 counter packets 0 bytes 0 accept
		counter packets 102 bytes 17217 jump ufw-user-input
	}

	chain ufw-before-output {
		oifname "lo" counter packets 276 bytes 18993 accept
		ct state related,established counter packets 805 bytes 152869 accept
		counter packets 68 bytes 7524 jump ufw-user-output
	}

	chain ufw-before-forward {
		ct state related,established counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type destination-unreachable counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type time-exceeded counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type parameter-problem counter packets 0 bytes 0 accept
		meta l4proto icmp icmp type echo-request counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump ufw-user-forward
	}

	chain ufw-after-input {
		udp dport 137 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		udp dport 138 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		tcp dport 139 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		tcp dport 445 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		udp dport 67 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		udp dport 68 counter packets 0 bytes 0 jump ufw-skip-to-policy-input
		fib daddr type broadcast counter packets 99 bytes 16533 jump ufw-skip-to-policy-input
	}

	chain ufw-after-output {
	}

	chain ufw-after-forward {
	}

	chain ufw-after-logging-input {
		limit rate 3/minute burst 10 packets counter packets 1 bytes 28 log prefix "[UFW BLOCK] "
	}

	chain ufw-after-logging-output {
	}

	chain ufw-after-logging-forward {
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
	}

	chain ufw-reject-input {
	}

	chain ufw-reject-output {
	}

	chain ufw-reject-forward {
	}

	chain ufw-track-input {
	}

	chain ufw-track-output {
		meta l4proto tcp ct state new counter packets 16 bytes 960 accept
		meta l4proto udp ct state new counter packets 52 bytes 6564 accept
	}

	chain ufw-track-forward {
	}

	chain ufw-logging-deny {
		ct state invalid limit rate 3/minute burst 10 packets counter packets 0 bytes 0 return
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
	}

	chain ufw-logging-allow {
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW ALLOW] "
	}

	chain ufw-skip-to-policy-input {
		counter packets 99 bytes 16533 drop
	}

	chain ufw-skip-to-policy-output {
		counter packets 0 bytes 0 accept
	}

	chain ufw-skip-to-policy-forward {
		counter packets 0 bytes 0 drop
	}

	chain ufw-not-local {
		fib daddr type local counter packets 0 bytes 0 return
		fib daddr type multicast counter packets 1 bytes 28 return
		fib daddr type broadcast counter packets 101 bytes 17189 return
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 jump ufw-logging-deny
		counter packets 0 bytes 0 drop
	}

	chain ufw-user-input {
		iifname "incusbr0" counter packets 2 bytes 656 accept
		iifname "incusbr1" counter packets 0 bytes 0 accept
		iifname "lxcbr0" counter packets 0 bytes 0 accept
	}

	chain ufw-user-output {
	}

	chain ufw-user-forward {
		iifname "incusbr0" counter packets 0 bytes 0 accept
		iifname "incusbr1" counter packets 0 bytes 0 accept
		iifname "lxcbr0" counter packets 0 bytes 0 accept
	}

	chain ufw-user-logging-input {
	}

	chain ufw-user-logging-output {
	}

	chain ufw-user-logging-forward {
	}

	chain ufw-user-limit {
		limit rate 3/minute counter packets 0 bytes 0 log prefix "[UFW LIMIT BLOCK] "
		counter packets 0 bytes 0 reject
	}

	chain ufw-user-limit-accept {
		counter packets 0 bytes 0 accept
	}
}
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {
	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		counter packets 0 bytes 0 jump ufw6-before-logging-output
		counter packets 0 bytes 0 jump ufw6-before-output
		counter packets 0 bytes 0 jump ufw6-after-output
		counter packets 0 bytes 0 jump ufw6-after-logging-output
		counter packets 0 bytes 0 jump ufw6-reject-output
		counter packets 0 bytes 0 jump ufw6-track-output
	}

	chain INPUT {
		type filter hook input priority filter; policy accept;
		counter packets 0 bytes 0 jump ufw6-before-logging-input
		counter packets 0 bytes 0 jump ufw6-before-input
		counter packets 0 bytes 0 jump ufw6-after-input
		counter packets 0 bytes 0 jump ufw6-after-logging-input
		counter packets 0 bytes 0 jump ufw6-reject-input
		counter packets 0 bytes 0 jump ufw6-track-input
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;
		counter packets 0 bytes 0 jump ufw6-before-logging-forward
		counter packets 0 bytes 0 jump ufw6-before-forward
		counter packets 0 bytes 0 jump ufw6-after-forward
		counter packets 0 bytes 0 jump ufw6-after-logging-forward
		counter packets 0 bytes 0 jump ufw6-reject-forward
		counter packets 0 bytes 0 jump ufw6-track-forward
	}

	chain ufw6-before-logging-input {
	}

	chain ufw6-before-logging-output {
	}

	chain ufw6-before-logging-forward {
	}

	chain ufw6-before-input {
		iifname "lo" counter packets 0 bytes 0 accept
		rt type 0 counter packets 0 bytes 0 drop
		ct state related,established counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
		ct state invalid counter packets 0 bytes 0 jump ufw6-logging-deny
		ct state invalid counter packets 0 bytes 0 drop
		meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 counter packets 0 bytes 0 accept
		ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept
		ip6 daddr ff02::fb udp dport 5353 counter packets 0 bytes 0 accept
		ip6 daddr ff02::f udp dport 1900 counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump ufw6-user-input
	}

	chain ufw6-before-output {
		oifname "lo" counter packets 0 bytes 0 accept
		rt type 0 counter packets 0 bytes 0 drop
		ct state related,established counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-router-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp xt match icmp6 ip6 hoplimit 255 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp ip6 saddr fe80::/10 xt match icmp6 ip6 hoplimit 1 counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump ufw6-user-output
	}

	chain ufw6-before-forward {
		rt type 0 counter packets 0 bytes 0 drop
		ct state related,established counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type destination-unreachable counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type packet-too-big counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type time-exceeded counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type parameter-problem counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
		meta l4proto ipv6-icmp icmpv6 type echo-reply counter packets 0 bytes 0 accept
		counter packets 0 bytes 0 jump ufw6-user-forward
	}

	chain ufw6-after-input {
		udp dport 137 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
		udp dport 138 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
		tcp dport 139 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
		tcp dport 445 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
		udp dport 546 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
		udp dport 547 counter packets 0 bytes 0 jump ufw6-skip-to-policy-input
	}

	chain ufw6-after-output {
	}

	chain ufw6-after-forward {
	}

	chain ufw6-after-logging-input {
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
	}

	chain ufw6-after-logging-output {
	}

	chain ufw6-after-logging-forward {
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
	}

	chain ufw6-reject-input {
	}

	chain ufw6-reject-output {
	}

	chain ufw6-reject-forward {
	}

	chain ufw6-track-input {
	}

	chain ufw6-track-output {
		meta l4proto tcp ct state new counter packets 0 bytes 0 accept
		meta l4proto udp ct state new counter packets 0 bytes 0 accept
	}

	chain ufw6-track-forward {
	}

	chain ufw6-logging-deny {
		ct state invalid limit rate 3/minute burst 10 packets counter packets 0 bytes 0 return
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW BLOCK] "
	}

	chain ufw6-logging-allow {
		limit rate 3/minute burst 10 packets counter packets 0 bytes 0 log prefix "[UFW ALLOW] "
	}

	chain ufw6-skip-to-policy-input {
		counter packets 0 bytes 0 drop
	}

	chain ufw6-skip-to-policy-output {
		counter packets 0 bytes 0 accept
	}

	chain ufw6-skip-to-policy-forward {
		counter packets 0 bytes 0 drop
	}

	chain ufw6-user-input {
		iifname "incusbr0" counter packets 0 bytes 0 accept
		iifname "incusbr1" counter packets 0 bytes 0 accept
		iifname "lxcbr0" counter packets 0 bytes 0 accept
	}

	chain ufw6-user-output {
	}

	chain ufw6-user-forward {
		iifname "incusbr0" counter packets 0 bytes 0 accept
		iifname "incusbr1" counter packets 0 bytes 0 accept
		iifname "lxcbr0" counter packets 0 bytes 0 accept
	}

	chain ufw6-user-logging-input {
	}

	chain ufw6-user-logging-output {
	}

	chain ufw6-user-logging-forward {
	}

	chain ufw6-user-limit {
		limit rate 3/minute counter packets 0 bytes 0 log prefix "[UFW LIMIT BLOCK] "
	}

	chain ufw6-user-limit-accept {
	}
}
table inet incus {
	chain pstrt.incusbr0 {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 10.87.187.0/24 ip daddr != 10.87.187.0/24 masquerade
	}
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "eth0" tcp dport 2221 counter packets 0 bytes 0 dnat to 10.0.3.100:22
	}
}
table inet lxc {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "lxcbr0" udp dport { 53, 67 } accept
		iifname "lxcbr0" tcp dport { 53, 67 } accept
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		iifname "lxcbr0" accept
		oifname "lxcbr0" accept
	}
}
table ip lxc {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 10.0.3.0/24 ip daddr != 10.0.3.0/24 counter packets 0 bytes 0 masquerade
	}
}

incusbr1 can be ignored that was me seeing if making a new bridge would fix it, which it did not.

stgraber · March 6, 2024, 10:35pm

Can you show ip link show too?

xtreme · March 6, 2024, 10:38pm

Here is the output:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
    link/ether 24:4b:fe:dd:da:4f brd ff:ff:ff:ff:ff:ff
3: wlp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether 9c:fc:e8:f1:8a:83 brd ff:ff:ff:ff:ff:ff
24: incusbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 00:16:3e:5c:0f:c7 brd ff:ff:ff:ff:ff:ff
40: lxcbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
65: veth8c4caafd@if64: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master incusbr0 state UP mode DEFAULT group default qlen 1000
    link/ether 2a:45:f9:7a:b8:77 brd ff:ff:ff:ff:ff:ff link-netnsid 0

stgraber · March 6, 2024, 10:50pm

Does /proc/sys/net/bridge exist on your system?

xtreme · March 6, 2024, 10:56pm

Nope.

stgraber · March 6, 2024, 11:02pm

Okay, so at that point, I’d start using tcpdump, first using tcpdump -ni veth8c4caafd to confirm that you see the DHCP requests from the container on the host side.

If they show up there, then do the same with tcpdump -ni incusbr0.

If they still show up there, then take a close look at journalctl -n 300 for anything dnsmasq related.

In those dumps, you probably also want to make sure that the response, if any, make it all the way through.

You can also always check that firewall is indeed the issue by flushing it all with iptables -F, which given the default policies you listed, should then allow all traffic.

xtreme · March 6, 2024, 11:24pm

There are IPv6 requests but no IPv4 requests.

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth239b1451, link-type EN10MB (Ethernet), snapshot length 262144 bytes
23:04:49.371537 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:07:9f:c5, length 300
23:04:53.578080 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:07:9f:c5, length 300
23:04:54.698032 IP6 fe80::216:3eff:fe07:9fc5 > ff02::2: ICMP6, router solicitation, length 16
23:04:58.529036 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:07:9f:c5, length 300
23:05:06.638115 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:07:9f:c5, length 300
23:05:11.141426 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:07:9f:c5, length 300
23:05:19.265693 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:07:9f:c5, length 300
23:05:25.418035 IP6 fe80::216:3eff:fe07:9fc5 > ff02::2: ICMP6, router solicitation, length 16

They also show on incusbr0:

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on incusbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
23:06:44.275753 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:07:9f:c5, length 284
23:06:45.301356 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:06:52.701354 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:06:52.711606 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:07:9f:c5, length 300
23:06:52.901370 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:06:53.311385 IP6 :: > ff02::1:ff07:9fc5: ICMP6, neighbor solicitation, who has fe80::216:3eff:fe07:9fc5, length 32
23:06:54.324709 IP6 fe80::216:3eff:fe07:9fc5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:06:54.324732 IP6 fe80::216:3eff:fe07:9fc5 > ff02::2: ICMP6, router solicitation, length 16
23:06:55.018029 IP6 fe80::216:3eff:fe07:9fc5 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:06:58.644689 IP6 fe80::216:3eff:fe07:9fc5 > ff02::2: ICMP6, router solicitation, length 16
23:06:59.341433 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:07:9f:c5, length 300

Not seeing anything in journalctl.

UPDATE: so the first time running “iptables -F” made me need a reboot before networking would work presumably because I forgot to turn my VPN off this time (I had been turning it off and closing it before doing anything with containers in case it interfered) however after a reboot I turned off my VPN and flushed them again then started the container and inside the container ran “dhclient -v eth0” and now it works.

stgraber · March 6, 2024, 11:29pm

Okay, so that at least confirms that it’s something going on in your firewall that’s blocking the traffic from making it to dnsmasq (or preventing dnsmasq from responding to it).

xtreme · March 8, 2024, 11:42pm

Alright well I am going to mark your reply as the answer, however something weird is definitely going on, I haven’t touched anything with firewall since I reinstalled Parrot OS 6.0 today, and yet it seems to work without any problems now even without flushing firewall rules, when I tried before that was also a fresh install of Parrot OS 6.0. I have no idea what changed but as long as it works I am happy. I still have to run “dhclient -v eth0” though.

Edit: I should also note that when having the same issue on Arch Linux I had no firewall installed at the time. So whatever happened with Arch is beyond me.