On 11/16/20 5:22 AM, Łukasz Czerpak wrote: > Hi Matt, > > Many thanks for your reply. > >> >> Are you using lxd firewall capabilities (1)?: >> - If yes, This is unlikely to work as Shorewall will probably modify >> what is created by lxd > > Firewall in LXD has been disabled: > > # lxc network show lxdbr0 > config: > ipv4.address: 10.0.0.1/24 > ipv4.firewall: "false" > ipv4.nat: "false" > ipv6.address: none > ipv6.firewall: "false" > >> - If no, have you looked at (2) >> >> 2) https://shorewall.org/bridge-Shorewall-perl.html >> > > Yes, I've looked at it and - if my understanding is correct - the page > talks about separating interfaces connected to the bridge by declaring > more zones as bridge ports. > In my scenario I am not sure it's feasible since veth interfaces get > random names when containers are being started. > > Anyway, the above can't explain why lxd-lxd (lxd2lxd) policy is set to > ACCEPT by default and why Shorewall removes lxd-lxd chain right after > created it. >
You have set routeback=0, so lxd-lxd traffic is prohibited. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
OpenPGP_0x96E6B3F2423A4D10.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
