Lxd: nftables support?

Created on 15 Nov 2017 · 9Comments · Source: lxc/lxd

Instead of relying on iptables, nftables support would allow using nftables NAT and not using iptables at all on the system.

nftables is a replacement to netfilter (iptables), among the advantages of nftables over netfilter is less code duplication and more throughput.
nftables is configured via the user-space utility nft and converting from iptables to nftables is relatively simple. The Netfilter webpage mentions that about 3/4th of all iptables features are supported, everything commonly used is supported, so no problems there.

Moving from iptables to nftables is made easier thanks to iptables-translate.
In general, the nftables wiki is invaluable.

I personally also find it easier to use, read and understand. If I read the source correctly, there is already an abstraction?

Source

vifino

Most helpful comment

Sorry for bumping this old issue again.

In Debian Buster, the default is nftables, but they included iptables-compat (now called iptables-nft) packages. By default, both ip_tables and ip6_tables are loaded as kernel modules, as well as the nftables ones. Especially when you are dealing with NAT this leads to headaches, as only one can do NAT.

With iptables disabled, lxd logs the following:

lxd.daemon[6870]: t=*timestamp* lvl=eror msg="Failed to bring down network" err="Failed to list ipv4 rules for LXD network lxdbr0 (table filter)" name=lxdbr0

A fix or workaround would be appreciated.

SomeGeek on 8 Mar 2019

👍14

All 9 comments

nftables is missing for quite a number of Linux distributions that we support and is unsupported in most others (not in the default install, not in the main repository). Until that changes, we'll be sticking to iptables, ip6tables and ebtables.

As you said, the migration should be pretty easy but maintaining duplicated code that almost nobody would use for no real gain doesn't seem worth it. We'll revisit once distros start transitioning.

stgraber on 15 Nov 2017

Sorry for bumping this old issue again.

With iptables disabled, lxd logs the following:

lxd.daemon[6870]: t=*timestamp* lvl=eror msg="Failed to bring down network" err="Failed to list ipv4 rules for LXD network lxdbr0 (table filter)" name=lxdbr0

A fix or workaround would be appreciated.

SomeGeek on 8 Mar 2019

👍14

Maybe not directly related to this issue, but I was able to fix IPv4 networking problems of LXD containers on Debian 10 (with UFW installed and enabled) by following these steps to use the old iptables backend: https://wiki.debian.org/iptables

# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

leonklingele on 13 Jul 2019

Steps to reproduce the problems I've described (on Debian 10):

$ apt update

$ apt install -y ufw
$ ufw allow 22/tcp
$ ufw enable

$ apt install -y --no-install-recommends snapd
$ snap install lxd
$ yes '' | /snap/bin/lxd init
$ reboot

# Log in again

$ lxc launch images:debian/buster demo
# "demo" container will never get a private IPv4 address assigned, IPv6 is working fine

Don't know if this a problem of LXD, UFW and/or the new iptables backend nftables.

leonklingele on 13 Jul 2019

@stgraber I think it might be reasonable to reconsider nftables support at this point.
Especially given that Debian 10 released with nftables.

vifino on 14 Jul 2019

👍4

Hello @stgraber I'm also curious about status of this feature. If needed maybe somebody from our team can work on integration if you could share a few architecture pointers.