Hi Matt, Many thanks for your reply.
Are you using lxd firewall capabilities (1)?: - If yes, This is unlikely to work as Shorewall will probably modify what is created by lxd
Firewall in LXD has been disabled: # lxc network show lxdbr0 config: ipv4.address: 10.0.0.1/24 ipv4.firewall: "false" ipv4.nat: "false" ipv6.address: none ipv6.firewall: "false"
- If no, have you looked at (2) 2) https://shorewall.org/bridge-Shorewall-perl.html
Yes, I've looked at it and - if my understanding is correct - the page talks about separating interfaces connected to the bridge by declaring more zones as bridge ports. In my scenario I am not sure it's feasible since veth interfaces get random names when containers are being started.
Anyway, the above can't explain why lxd-lxd (lxd2lxd) policy is set to ACCEPT by default and why Shorewall removes lxd-lxd chain right after created it.
Best regards, Łukasz Czerpak _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
