The nat fiddles are not visible inside the container network namespace. Thus I am wondering if there is an odd interaction between namespace, nftables based iptables vs legacy iptables. I.e. whilst the host is configured using legacy iptables, maybe the lxd guests must be using legacy iptables too.
I'll experiment to see if forcing to simply only use iptables-legacy inside the lxd guest is good enough for now. Despite the hosts getting upgraded to bionic. Cause it's only groovy that started to use nftables based iptables. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1917920 Title: magic-proxy broke with iptables 1.8.7-1ubuntu2 Status in launchpad-buildd: New Status in iptables package in Ubuntu: New Status in livecd-rootfs package in Ubuntu: New Status in lxd package in Ubuntu: New Bug description: when iptables got upgraded from 1.8.5-3ubuntu4 to 1.8.7-1ubuntu2 magic proxy stopped working in livecd-rootfs. It does very simple thing: iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon -j REDIRECT --to 8080 inside hirsute lxd container, with quite high privileges, in a bionic VM, running 4.15 kernel. With 1.8.5 above worked fine, with 1.8.7 somehow there was no outbound connectivity the very first http networking command after the above call would just hang indefinitely. However, if one does this instead: iptables -vv -t nat -S iptables-legacy -vv -t nat -S iptables -vv -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon -j REDIRECT --to 8080 somehow magically everything starts to work fine. weird. To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad-buildd/+bug/1917920/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
