[lxc-devel] [lxd/master] lxd bridge: move forwarding iptables rules to the NAT section

wgorski1 on Github lxc-bot at linuxcontainers.org
Tue Sep 6 00:07:37 UTC 2016


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 715 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160906/b672dcba/attachment.bin>
-------------- next part --------------
From 0fbcb2a70989e75af892f6808c341824ee85284d Mon Sep 17 00:00:00 2001
From: wgorski1 <wojciech at gorski.priv.pl>
Date: Tue, 6 Sep 2016 01:39:58 +0200
Subject: [PATCH 1/2] lxd bridge: move forwarding iptables rules to the NAT
 section

Signed-off-by: wgorski1 <wojciech at gorski.priv.pl>
---
 lxd-bridge/lxd-bridge | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lxd-bridge/lxd-bridge b/lxd-bridge/lxd-bridge
index 14d8f4d..c468950 100755
--- a/lxd-bridge/lxd-bridge
+++ b/lxd-bridge/lxd-bridge
@@ -115,6 +115,9 @@ start() {
         echo 1 > /proc/sys/net/ipv4/ip_forward
         if [ "${LXD_IPV4_NAT}" = "true" ]; then
             iptables "${use_iptables_lock}" -t nat -A POSTROUTING -s "${LXD_IPV4_NETWORK}" ! -d "${LXD_IPV4_NETWORK}" -j MASQUERADE -m comment --comment "managed by lxd-bridge"
+            iptables "${use_iptables_lock}" -I FORWARD -i "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
+            iptables "${use_iptables_lock}" -I FORWARD -o "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
+
         fi
         LXD_IPV4_ARG="--listen-address ${LXD_IPV4_ADDR} --dhcp-range ${LXD_IPV4_DHCP_RANGE} --dhcp-lease-max=${LXD_IPV4_DHCP_MAX}"
     fi
@@ -141,8 +144,6 @@ start() {
     iptables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p tcp --dport 67 -j ACCEPT -m comment --comment "managed by lxd-bridge"
     iptables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p udp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
     iptables "${use_iptables_lock}" -I INPUT -i "${LXD_BRIDGE}" -p tcp --dport 53 -j ACCEPT -m comment --comment "managed by lxd-bridge"
-    iptables "${use_iptables_lock}" -I FORWARD -i "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
-    iptables "${use_iptables_lock}" -I FORWARD -o "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
     iptables "${use_iptables_lock}" -t mangle -A POSTROUTING -o "${LXD_BRIDGE}" -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -m comment --comment "managed by lxd-bridge"
 
     LXD_DOMAIN_ARG=""

From 63f8b55ab69f7f239bec5b805f97f4a214535d06 Mon Sep 17 00:00:00 2001
From: wgorski1 <wojciech at gorski.priv.pl>
Date: Tue, 6 Sep 2016 01:42:37 +0200
Subject: [PATCH 2/2] removed empty line

Signed-off-by: wgorski1 <wojciech at gorski.priv.pl>
---
 lxd-bridge/lxd-bridge | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lxd-bridge/lxd-bridge b/lxd-bridge/lxd-bridge
index c468950..d76843c 100755
--- a/lxd-bridge/lxd-bridge
+++ b/lxd-bridge/lxd-bridge
@@ -117,7 +117,6 @@ start() {
             iptables "${use_iptables_lock}" -t nat -A POSTROUTING -s "${LXD_IPV4_NETWORK}" ! -d "${LXD_IPV4_NETWORK}" -j MASQUERADE -m comment --comment "managed by lxd-bridge"
             iptables "${use_iptables_lock}" -I FORWARD -i "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
             iptables "${use_iptables_lock}" -I FORWARD -o "${LXD_BRIDGE}" -j ACCEPT -m comment --comment "managed by lxd-bridge"
-
         fi
         LXD_IPV4_ARG="--listen-address ${LXD_IPV4_ADDR} --dhcp-range ${LXD_IPV4_DHCP_RANGE} --dhcp-lease-max=${LXD_IPV4_DHCP_MAX}"
     fi


More information about the lxc-devel mailing list