I’ve been playing with Linux containers (LXC) recently thanks to the SysAdvent calendar and ran into a small issue where network traffic was blocked to the VM (using a bridged interface) when ufw was running on the host. Granting an ufw allow rule to the guest IP did not seem to help either, it seems there is a bug filed for this.
Two solutions are presented on the Launchpad page:
- Disable netfilter on the bridge on sysctl by adding the following lines to /etc/sysctl.conf, /etc/ufw/sysctl.conf or /etc/sysctl.d/ufw:
net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
- Configure iptables to permit forwarded traffic across the bridge by adding the following line (before the last COMMIT command) to /etc/ufw/before.rules:
-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
Whichever you choose the relevant changes must be made active (reloading sysctl or restarting ufw). I used the ufw/iptables solution and seemed to work fine.
I’m hoping to have another post up here soon about LXC itself, I’ve made a custom VM creation script for Debian and trying to get one working for Ubuntu as well. From what I’ve seen so far it’s a very nice package although still much under development; I’m not so sure if I’d recommend it to be used in production environments but I see it maturing significantly in the near future.
Tags: blurb, bugs, linux, lxc, networking, ufw, virtualization
[...] This post was mentioned on Twitter by b0rn2frag. b0rn2frag said: Linux containers and ufw « Anthony's Blog: net.bridge.bridge-nf-call-ip6tables = 0 net.bridge…. http://bit.ly/gjFEgZ #ipv6 #ip6tables [...]
[...] UFW/LXC mijiedarbība: [...]