Is there a way to only let lxd generate the ip/nftable rules without having to restart the service?
The problem is that we run shorewall and it assumes that it is the only owner of the firewall and just clears all the rules. This leads to lxd networking not working anymore without restarting the lxd service.
You can make a change to the LXD’s managed network (e.g. lxdbr0 network) in LXD’s config, this will also trigger a reapplication of the firewall rules.
But that doesn’t sound like a good way to go, better would be to add the rules needed for LXD to work properly to the shorewall config so its reliable.
That does sound like a hacky solution, I will try to use this as a workaround, because I only have limited controll over the shorewall config (as its company applied).
Would it also be an option to contribute something like an lxd firewall reload functionality to lxd?
Will try it when it’s in the LTS release then
For now the above ‘hack’ works as expected, maybe if I have time I will contribute something like a lxc network reload-fw or similar.