We had a problem recently when migrating from ubuntu14 to ubuntu16 our LXC infrastructure:
the overall networking from outside (MASQUERADE and DNAT) was not working all of a sudden...
Apparently the difference is in the host machine:
-ubuntu 14 has the bridge module charged in the kernel with by default (check with sysctl -a)
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
in this case we used to forward the traffic "from" and "to" the bridges where we had LXC attached and to masq the ips when needed.
-ubuntu 16 has not (even if you create bridges and set iptables to forward the bridges traffic) unless you add the following rule:
(check with sysctl -a|grep bridges)
-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
(check again with sysctl -a|grep bridges)
this way we had the same behaviour as with the Ubuntu 14 (well...more or less, you may need to trim a bit the forwarding table)
hope this will help... it took quite a while to figure this out
ciao
Alex
No comments:
Post a Comment