Port forwarding is a bit of a pariah in the LXD world. Automating its management is left to third party scripts and services that use iptables, unless this has changed and I can't find the documentation on changes. Some scripts allow you to populate the port config in a YAML file or similar. I'm considering using the containers environment config.
Let's say I write a service that runs and monitors for currently running containers. We'll call it open_ports. If open_ports sees a container running it can query a container environment:
lxc config get foo_container environment.PUBLISHED_PORTS
open_ports will then attempt to use iptables to create a forward based on the contents of the PUBLISHED_PORTS environment variable. This would allow my preferred port forwards to follow the container rather than the host config. Provided of course that all my hosts have open_ports running.
For the PUBLISHED_PORTS format, I considered one similar to docker and its publish argument:
<host port1>:<container port1>/<protocol1>,<host port2>:<container port2>/protocol2>
The port specified could also be a port range and protocol would default to TCP unless otherwise specified.
I'm mainly concerned about what security risks this might open up. Any thoughts from the community?