lxd icon indicating copy to clipboard operation
lxd copied to clipboard
verified publisher icon canonical

LXD not properly working with nftables workflow

Open hadmut opened this issue 1 year ago • 0 comments

  • Distribution: Ubuntu

  • Distribution version: 24.04

  • The output of "snap list --all lxd core20 core22 core24 snapd": Name Version Rev Tracking Publisher Notes core20 20240227 2264 latest/stable canonical✓ base,disabled core20 20240416 2318 latest/stable canonical✓ base core22 20240111 1122 latest/stable canonical✓ base,disabled core22 20240408 1380 latest/stable canonical✓ base core24 20240528 423 latest/stable canonical✓ base lxd 5.21.1-10f4115 28322 latest/stable canonical✓ disabled lxd 5.21.1-2d13beb 28463 latest/stable canonical✓ - snapd 2.62 21465 latest/stable canonical✓ snapd,disabled snapd 2.63 21759 latest/stable canonical✓ snapd

  • The output of "lxc info" or if that fails:

    • Kernel version: 6.8.0-35-generic
    • LXC version: 5.21.1 LTS
    • LXD version: 5.21.1 LTS
    • Storage backend in use:

Issue description

I'm moving from ufw to nftables after upgrading to Ubuntu 24.04.

The usual way of using nftables, including the examples on Ubuntu, is to have a script, e.g. /etc/nftables.conf, starting with

#!/usr/sbin/nft -f

flush ruleset

table inet filter { ...

So whenever running the script, the LXD nftables rules are gone. There is no obvious simple way to reload them.

Executing
snap restart lxd reloads them. However, this is slow and stops and restarts all guest machines.

There should be a file to include from /etc/nftables.conf in order to reload.

Another problem: Even if the rules are reloaded, LXD guests don't get network access anymore.

Reason: It is set on priority filter, the default priority. It then has the same priority as regular filters, which is, as described in the nft documentation, possible, but comes with a undefined execution order.

Even if the execution order is well defined by setting the priority of other rules: A chain which "accepts" a package, does not finally accept it: Accepted packages to through the next chain, and for security reasons, the final chain should reject all packages.

This runs into the problem, that you cannot finally reject packages, because the user rules and LXD rules go into different chains and thus eventually are dropped. I found someone else's comment on the same problem:

https://superuser.com/questions/1787416/nftables-how-to-stop-further-chain-traversal-after-accept-verdict

So LXD has issues with the current implementation of nftables.

Steps to reproduce

  1. Step one
  2. Step two
  3. Step three

Information to attach

  • [ ] Any relevant kernel output (dmesg)
  • [ ] Container log (lxc info NAME --show-log)
  • [ ] Container configuration (lxc config show NAME --expanded)
  • [ ] Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log)
  • [ ] Output of the client with --debug
  • [ ] Output of the daemon with --debug (alternatively output of lxc monitor while reproducing the issue)

hadmut avatar Jul 06 '24 00:07 hadmut