I was wondering about a possible workaround for the port isolation issue on core18, as the bridge software doesn’t support isolation in Ubuntu 18.04 but 20.04 does would it be possible to create a network bridge in Ubuntu 20.04 with port isolation and then assign that to the containers?
I gave it ago but I’ve not figured out a what of configuring a network bridge in netplan without losing my ethernet device.
So I would appreciate advice from people that do know…
The issue is that the version of ip command inside the snap is too old (as its from Ubuntu 18.04) and doesn’t understand the port isolation feature available on the host’s bridge.
So its not a problem with the bridge itself, but instead, each port (veth) being attached to it needs to have the port isolation feature turned on for it. You could do this manually after the container has been started and attached to the bridge.
But for the feature to work natively in LXD either we need to upgrade the LXD snap to core20 (based on Ubuntu 20.04), which is certainly planned for soon, but it is a big change, or the other option maybe to use the netlink protocol to directly interface with the bridge via the kernel rather than using the ip command. That way the older version of ip inside the snap won’t matter.
One of those two solutions will happen, but I’m not sure on timings at this stage.
This is now available in LXD 4.14 using the bridged NIC type’s security.port_isolation=true setting.
LXD 4.14 uses the Ubuntu Core 20.04 base image so the ip tool is updated to support it now.