On 2020-02-11 05:32, Andrey Repin wrote:
Containers in these two networks have IP address assigned from DHCP
and
can connect out to the world - this is what I want.
Unfortunately, containers from one network (staging) can also connect
to
containers from the other network (testing) - which is not what I
want.
So, fix it? iptables to your rescue. (E.g.: this is not an LXD
problem.)
IMO it's LXD configuration nuance. And a problem. See below.
Is there any mechanism in LXD to prevent it? Or do I have to add my
own,
custom iptables rules?
You have enabled packet forwarding on the host, but not specified any
restrictions. Indeed, everything is forwarded where possible.
That's why I'm asking if there is any mechanism in LXD to prevent such
traffic.
LXD adds a lot of its own iptables rules.
I can add my own, of course, but in my opinion, it's not a very clear
solution:
- if one uses iptables-persistent, these rules will kind of conflict
with the ones set by LXD and in case of reload, will even clear iptables
rules set by LXD; there are issues with rule saving and so on
- I can set my own rules via other mechanisms, i.e. in /etc/rc.local on
server startup - but then again, there is no reload/change mechanism
Tomasz Chmielewski
https://lxadm.com
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
