Support for port isolation on bridge interfaces

ItsMattL · September 27, 2020, 4:07pm

I have LXD containers connected to a linux bridge. I would like to enable port isolation on the bridge, eg:

ip link set dev tap0 master bridge0
bridge link set dev veth0 isolated on
bridge link set dev veth1 isolated on
bridge link set dev veth2 isolated on

The goal being that any of the containers can share the network segment and talk to the upstream bridge port, but not to each other.

It’s simple enough to configure the bridge with the upstream port, but I’m not sure how to handle dynamically setting the “isolated on” for the container links. It would be ideal if there were a bridge interface setting in lxd that supported this, but I don’t see reference to one in the docs.

Failing that, does anyone have any ideas for how to most efficiently configured LXD to run the CLI bridge command whenever a container starts? Some type of hook script? Something systemd?

stgraber · September 27, 2020, 4:24pm

There currently isn’t such a feature built into LXD, though we do have plans to add support for network security, firewalling and access groups over the next 6 months or so. Access within the same subnet may end up fitting into that story.

I think it may also make sense to add such a thing a direct property of a managed network, but we’ll need to ensure that there are working equivalents for openvswitch and ovn based networks too. We’ll also have to be careful in how this is handled when external switch ports are added as well as when a network is tunneled across multiple nodes.

@tomp

tomp · May 13, 2021, 8:25am

This is now available in LXD 4.14 using the bridged NIC type’s security.port_isolation=true setting.