I’m currently running an unprivileged OpenWrt 23.05 instance on Incus as my router and it works pretty well. The main reason I turned to Incus is because my internet is provided by a Qualcomm USB 5G modem, and USB pass-through performance in VM (Proxmox VE) is hard capped around 120 Mbps on my device, at which point 1 core is fully loaded and can’t get any faster. With Incus I can get 300+ Mbps.
Here is what I did to pass through the modem:
devices:
wwan-cdc-wdm0:
mode: '0600'
path: /dev/cdc-wdm0
required: 'false'
type: unix-char
wwan:
nictype: physical
parent: wwp0s20u3i5
type: nic
Later on, I saw Incus supports AppArmor, and turned it on on my host machine. My network is broken immediately unless I either turned AppArmor off, or set raw.lxc: lxc.apparmor.profile=unconfined
. This weekend I got time to check on this again, and solved most of issues reported by audit. However, my WWAN is still broken.
After checking within OpenWrt, the failure is caused by unable to configure the modem as raw-ip
mode. On my device, /sys/class/net/eth1/qmi/raw_ip
is the path it is trying to modify, while /sys/class/net/eth1
itself is a symlink to /sys/devices/pci0000:00/0000:00:14.0/usb4/4-3/4-3:1.5/net/eth1
, which I believe is ultimately blocked by this default rule. Since deny
takes precedence, I’m left of no choice but to disable AppArmor.
Is there something else I can try here? I’m using 6.0.2 right now, which is the default package for NixOS 24.05.