Support LXC

[jcharaoui]

On a fairly default installation on Debian 12, LXC networking doesn't work out of the box when this module is managing the firewall rules.

Through some trial and error I figured out that packet forwarding was simply not enabled for the lxcbr0 interface.

In the end I used this declaration to fix my LXC setup:

class { 'nftables::rules::qemu':
  interface  => 'lxcbr0',
  network_v4 => '10.0.3.0/24',
}

Here lxcbr0 and 10.0.3.0/24 are both the default values used in lxc-net.

If you think it would make sense to introduce a rule specifically for LXC based on this I'd be happy to provide a PR.

[baldurmen]

A quick fix for this issue would be to treat the lxcbrX interfaces as regular bridges, by modifying the regex here:

puppet-nftables/manifests/bridges.pp

Line 5 in 02d6e88

Regexp $bridgenames = /^br.+/

[jcharaoui]

A quick fix for this issue would be to treat the lxcbrX interfaces as regular bridges, by modifying the regex here:

I don't think that would fully fix the issue because LXC containers also needs to reach the host via DNS and DHCP.

[lelutin]

I used to use exctly this kind of setup: vagrant-libvirt spawning qemu VMs with libvirt but with an nftables-based fireall and with libvirt configured with the default of setting up its firewall rules via iptables-compat.

One thing that made this setup super simple was to leave the nftables table named filter alone and setup my own set of rules in a differently named table. the filter table is used by the iptables-compat layer so you can easily get conflicts there or overwrite what libvirtd set up. the only weird part left with that setup is that if you somehow lose libvirtd's rules (e.g. by reloading your entire ruleset if it flushes it all before setting things back up), then you need to restart the libvirtd service to make it bring back the firewall rules.

I always thought that it's a bit sad that this module jams all of its rules by default in the iptables-compat table filter.