How to let LXD manage the bridge?

Post Reply
kurara
New here
Posts: 8
Joined: Sat Oct 19, 2019 10:55 am

How to let LXD manage the bridge?

Post by kurara »

I installed openwrt with LXD on my qnap nas. I'm using bridge network mode for the container(not NAT), so that the openwrt container get a ip from my router.
Now my PC can ping the openwrt container's ip, but can't access the webui or ssh, unless I disable firewall in the openwrt container.

I read it from here:https://lxd.readthedocs.io/en/latest/ne ... -firewalld
that you have to let LXD totally stop to set iptables rules, or LXD container will not be able to do any oubound internet access.
But the br0 bridge or lxdbr0 bridge on qnap nas is not managed by LXD. So I can't run these command:

Code: Select all

lxc network set lxdbr0 ipv4.nat false
lxc network set lxdbr0 ipv6.nat false
lxc network set lxdbr0 ipv6.firewall false
lxc network set lxdbr0 ipv4.firewall false
If I run "lxc network create lxdbr1" to create a new bridge, it will fail with this error:

Error: Failed to setup firewall: Failed to run: iptables -w -t mangle -I POSTROUTING -o lxdbr1 -p udp --dport 68 -j CHECKSUM --checksum-fill -m comment --comment generated for LXD network lxdbr1: iptables v1.4.21: unknown option "--checksum-fill"

What can I do to fix this problem? Thanks.
kurara
New here
Posts: 8
Joined: Sat Oct 19, 2019 10:55 am

Re: How to let LXD manage the bridge?

Post by kurara »

I have tried NAT network mode for the container, and get the same result. Host can't access container's services (eg. use " curl http://10.0.7.5").

I have installed openwrt container on LXD on chromebook. On chromebook's LXD, LXD manages lxdbr0 bridge, and I don't have the problem above.
kobarity
New here
Posts: 4
Joined: Sun Mar 14, 2021 5:12 pm

Re: How to let LXD manage the bridge?

Post by kobarity »

Hello @kurara,
I tested OpenWrt LXD image from images: server on my QNAP NAS. There are some issues with the firewall in the container.
  1. eth0 interface is assigned to 'wan' zone.
  2. Some rules can not be applied because QNAP iptables does not support 'limit' module.
The second issue prevents all TCP sessions from being established if 'syn_flood' is enabled.

So, I could access the OpenWrt container via SSH/HTTP with the following settings in the container:

Code: Select all

uci rename network.wan=lan
uci rename network.wan6=lan6
uci set "firewall.@defaults[0].syn_flood='0'"
uci commit
/etc/init.d/network restart
/etc/init.d/firewall restart
However, please note that the firewall is not working completely as it lacks 'limit' module.
kurara
New here
Posts: 8
Joined: Sat Oct 19, 2019 10:55 am

Re: How to let LXD manage the bridge?

Post by kurara »

kobarity wrote: Sat Aug 28, 2021 10:55 pm Hello @kurara,
I tested OpenWrt LXD image from images: server on my QNAP NAS. There are some issues with the firewall in the container.
  1. eth0 interface is assigned to 'wan' zone.
  2. Some rules can not be applied because QNAP iptables does not support 'limit' module.
The second issue prevents all TCP sessions from being established if 'syn_flood' is enabled.

So, I could access the OpenWrt container via SSH/HTTP with the following settings in the container:

Code: Select all

uci rename network.wan=lan
uci rename network.wan6=lan6
uci set "firewall.@defaults[0].syn_flood='0'"
uci commit
/etc/init.d/network restart
/etc/init.d/firewall restart
However, please note that the firewall is not working completely as it lacks 'limit' module.
Thank you kobarity! It works after I disable SYN-flood defending!

Now I don't have to disable the entire firewall. And because I won't expose the container to internet, so I think it's fine to disable SYN-flood defending.

Thank you again savior!
Post Reply

Return to “Container Station”