On 2/10/20 9:41 AM, Tomasz Chmielewski wrote:
I have these two networks:
# lxc network show br-staging
config:
ipv4.address: 10.100.0.1/24
ipv4.dhcp.ranges: 10.100.0.50-10.100.0.254
ipv4.firewall: "true"
ipv4.nat: "true"
description: staging network
name: br-staging
type: bridge
# lxc network show br-testing
config:
ipv4.address: 10.200.0.1/24
ipv4.dhcp.ranges: 10.200.0.50-10.200.0.254
ipv4.firewall: "true"
ipv4.nat: "true"
description: testing network
name: br-testing
type: bridge
Containers in these two networks have IP address assigned from DHCP and
can connect out to the world - this is what I want.
Unfortunately, containers from one network (staging) can also connect to
containers from the other network (testing) - which is not what I want.
Is there any mechanism in LXD to prevent it? Or do I have to add my own,
custom iptables rules?
Hi Tomasz,
Staging and testing are on separate /24 subnets that normally shouldn't
talk to each other. Is it possible that they're talking to each other
via the nat side?
Have you looked into macvlan? It has some interesting restrictions on
traffic that you might be able to take advantage of. I haven't played
with that nic type yet so I can't be of specific help.
https://lxd.readthedocs.io/en/latest/instances/#nictype-macvlan shows
the config settings but search within that page and there are
descriptions of its properties.
Mike Wright
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
