Ubuntu 22.04 LXD networking issue, not getting IPs, and solution (please verify correctness)

Was having firewall issues with a new install of Ubuntu 22.04, believe I may have it sorted out but wanted to run it by the community here to make sure what I did was the proper solution.

With a fresh install of Ubuntu 22.04 LTS, using HAProxy in a container, ports 80 & 443 proxied to the HAProxy contaner using LXC proxy devices & HAProxy directing all web traffic to a default LXC container.

As per directions in the docs at Linux Containers - LXD - Has been moved to Canonical I disabled LXD’s firewall rules and added rules for the bridge on the host:

lxc network set lxdbr0 ipv6.firewall false
lxc network set lxdbr0 ipv4.firewall false

and

sudo ufw allow in on lxdbr0
sudo ufw route allow in on lxdbr0

Then with UFW enabled on the host and disabled on the HAProxy & webserver containers…

My containers did not get IPs. Still no IPs even after rebooting… no external web access (from outside into port 80: haproxy container > webserver container. ).

After a bit of research I ended up trying the following:

sudo ufw allow out on lxdbr0
sudo ufw route allow out on lxdbr0

That resulted in the containers getting IPs from LXC and enabled web access through the HAProxy container & forwarded into the default webserver container. All looked good after that.

So my question: Was adding the ‘allow out’ and ‘route allow out’ UFW rules to the bridge the proper way to resolve the issue of inaccessible default websites and the containers not getting IPs from LXD?

Since the LXD firewall page in the docs at Linux Containers - LXD - Has been moved to Canonical did not mention adding the ‘out’ rules for the bridge, it makes me wonder if maybe there was something else that I missed, maybe this was not the proper way to resolve the issue, etc.

Thanks in advance for any advice & input.

Sounds like ufw has changed the default rules it adds which means additional override rules are needed. I dont see any immediate issues with adding the additional rules (although I cannot claim to be an expert in ufw). Are you able to open a pull request to update the docs? Thanks

Thanks for taking a look at this and verifying that you don’t see any immediate issues with solving in this way.

Sure thing about the pull request. I just submitted the changes. All I did was added in the ‘out’ rules below the ‘in’ rules on that page.

In the description for that doc section it states “you must add rules to allow traffic to and from the bridge.” After seeing that again, I suppose traffic to the bridge correlates to the ‘in’ rules and traffic from the bridge correlates to the ‘out’ rules. With the details seeming to already cover the ‘out’ rules I did not make any change to that part of the description.

Ubuntu 20.04 didn’t seem need the additional rules, but 22.04 did. Not sure if that should have been specified in the docs, though.