Restore firewall (ip/nftables) without restarting the lxd daemon

randombenj · May 17, 2021, 8:10am

Is there a way to only let lxd generate the ip/nftable rules without having to restart the service?

The problem is that we run shorewall and it assumes that it is the only owner of the firewall and just clears all the rules. This leads to lxd networking not working anymore without restarting the lxd service.

tomp · May 17, 2021, 8:18am

You can make a change to the LXD’s managed network (e.g. lxdbr0 network) in LXD’s config, this will also trigger a reapplication of the firewall rules.

But that doesn’t sound like a good way to go, better would be to add the rules needed for LXD to work properly to the shorewall config so its reliable.

randombenj · May 17, 2021, 8:22am

That does sound like a hacky solution, I will try to use this as a workaround, because I only have limited controll over the shorewall config (as its company applied).

Would it also be an option to contribute something like an lxd firewall reload functionality to lxd?

tomp · May 17, 2021, 8:27am

Why not just reload the lxd service though?

randombenj · May 17, 2021, 8:30am

I tryed that, but the service hangs until all open sessions (with lxc exec ...) are closed.

error: LXD is shutting down

tomp · May 17, 2021, 9:16am

Yes thats true. How often is shorewall resetting the rules?

randombenj · May 17, 2021, 9:24am

We have a daily cronjob wich restarts the service

tomp · May 17, 2021, 9:31am

You can specify the core.shutdown_timeout for LXD so it doesn’t wait so long before terminating running execs.

randombenj · May 17, 2021, 9:37am

Doesn’t seem to be configurable (unless I am doing something wrong)

$ lxd version
4.0.6
$ lxc config set core.shutdown_timeout 10
Error: cannot set 'core.shutdown_timeout' to '10': unknown key

randombenj · May 17, 2021, 9:50am

I wouldn’t call it a solution, but the best thing I came up with was this:

for iface in $(lxc network ls --format json | jq --raw-output '.[] | select(.managed) | .name')
do
  echo " => restoring fw rules '$iface'"
  is_nat=$(lxc network get $iface ipv6.nat)
  lxc network set $iface ipv6.nat $([ "$is_nat" = "true" ] && echo "false" || echo "true")
  # restore old config
  lxc network set $iface ipv6.nat "$is_nat"
done

tomp · May 17, 2021, 9:56am

Ah yes its a recent addition so not in the LTS release. There is a 10min default I believe.

randombenj · May 17, 2021, 9:59am

Will try it when it’s in the LTS release then
For now the above ‘hack’ works as expected, maybe if I have time I will contribute something like a lxc network reload-fw or similar.

Thanks for your super fast and useful help!