[lxc-devel] [lxd/master] doc/instances: Improves proxy docs

tomponline on Github lxc-bot at linuxcontainers.org
Mon Jul 6 15:59:48 UTC 2020


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 361 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200706/e7c7aadd/attachment.bin>
-------------- next part --------------
From e6d872e105e2907ebde5dbeffbb3c049fbdf888f Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Mon, 6 Jul 2020 16:56:36 +0100
Subject: [PATCH] doc/instances: Improves proxy docs

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 doc/instances.md | 37 ++++++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/doc/instances.md b/doc/instances.md
index 6817f8e09a..dedcf28ea7 100644
--- a/doc/instances.md
+++ b/doc/instances.md
@@ -729,15 +729,46 @@ The supported connection types are:
 * `UDP <-> UNIX`
 * `UNIX <-> UDP`
 
+The proxy device also supports a `nat` mode where packets are forwarded using NAT rather than being proxied through
+a separate connection. This has benefit that the client address is maintained without the need for the target
+destination to support the `PROXY` protocol (which is the only way to pass the client address through when using
+the proxy device in non-nat mode).
+
+When configuring a proxy device with `nat=true`, you will need to ensure that the target instance has a static IP
+configured in LXD on its NIC device. E.g.
+
+```
+lxc config device set <instance> <nic> ipv4.address=<ipv4.address> ipv6.address=<ipv6.address>
+```
+
+In order to define a static IPv6 address, the parent managed network needs to have `ipv6.dhcp.stateful` enabled.
+
+In NAT mode the supported connection types are:
+
+* `TCP <-> TCP`
+* `UDP <-> UDP`
+
+When defining IPv6 addresses use square bracket notation, e.g.
+
+```
+connect=tcp:[2001:db8::1]:80
+```
+
+You can specify that the connect address should be the IP of the instance by setting the connect IP to the wildcard
+address (`0.0.0.0` for IPv4 and `[::]` for IPv6).
+
+The listen address can also use wildcard addresses when using non-NAT mode. However when using `nat` mode you must
+specify an IP address on the LXD host.
+
 Key             | Type      | Default       | Required  | Description
 :--             | :--       | :--           | :--       | :--
-listen          | string    | -             | yes       | The address and port to bind and listen
-connect         | string    | -             | yes       | The address and port to connect to
+listen          | string    | -             | yes       | The address and port to bind and listen (`<type>:<addr>:<port>[-<port>][,<port>]`)
+connect         | string    | -             | yes       | The address and port to connect to (`<type>:<addr>:<port>[-<port>][,<port>]`)
 bind            | string    | host          | no        | Which side to bind on (host/guest)
 uid             | int       | 0             | no        | UID of the owner of the listening Unix socket
 gid             | int       | 0             | no        | GID of the owner of the listening Unix socket
 mode            | int       | 0644          | no        | Mode for the listening Unix socket
-nat             | bool      | false         | no        | Whether to optimize proxying via NAT
+nat             | bool      | false         | no        | Whether to optimize proxying via NAT (requires instance NIC has static IP address)
 proxy\_protocol | bool      | false         | no        | Whether to use the HAProxy PROXY protocol to transmit sender information
 security.uid    | int       | 0             | no        | What UID to drop privilege to
 security.gid    | int       | 0             | no        | What GID to drop privilege to


More information about the lxc-devel mailing list