[lxc-users] macvlan networking

[Adam Gold]

> Just a wild guess, I'm assuming macvlan has problems with bridge interface.
> 
> Have you tried using a physical interface (e.g. eth0) as
> lxc.network.link? Or better yet, since you already create a bridge,
> use lxc.network.type = veth?
> 

I should give just a little bit more context.  I'm trying to set up a
DMZ container which would service a private subnet of containers (as a
choke firewall, reverse proxy etc).  The host's physical interface,
bond0, has been attached to br0.  I initially tried creating a container
(ct1) with two veth interfaces, one attached to br0 for external
internet connectivity, the other attached to the default lxcbr0.  I
created a second container (ct2) with a single veth interface attached
to lxcbr0.  Ct1 was accessible from the outside world and was able to
ping ct2.  However getting to ct2 from the outside world (e.g. to ssh in
and modify configs - easier than using lxc console or doing a double ssh
via ct1) has been problematic.

I'm wondering whether this is an iptables issue.  On ct1, cat
/proc/sys/net/ipv4/ip_forward gives me a result of 1 and I'm using
fairly simple rules to forward from ct1 to ct2 as follows (eth0 =
exernal; eth1 = internal)

## setup forwarding
-A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j
ACCEPT
-A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-t nat -A POSTROUTING -s subnet_addresses -o eth0 -j MASQUERADE
## NAT for ssh
-t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d
ct1_external_ip --dport 10088 -j DNAT --to ct2:22
-A FORWARD -i eth0 -o $eth1 -p tcp --sport 1024:65535 -d ct2_ip --dport
22 -j ACCEPT

Apologies, total noob mistake for not providing this additional
background.  I've used these iptables rules with xen and kvm in a
similar dmz style setup before with no problems but if there's something
specific I need to know for lxc that would be great to hear about.

Of course I'm still curious why the macvlan isn't working and would like
to get that set up as well!