libvirt users - Dec 2020 - Libvirt-lxc: iptables not working in containers

Hi,
I can't get iptables to work in libvirt-lxc containers. "iptables
-L"
command shows empty chains. However I tested the same scenario with pure
lxc and iptables works as it should.
Has anyone experienced that? It seems like a bug, but maybe there is some
libvirt xml parameter I am missing?

BR
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20201214/c622c5eb/attachment.htm>

On 12/14/20 12:05 AM, John Hurnett wrote:
> Hi,
> I can't get iptables to work in libvirt-lxc containers. "iptables
-L"
> command shows empty chains. However I tested the same scenario with pure
> lxc and iptables works as it should.
> Has anyone experienced that? It seems like a bug, but maybe there is some
> libvirt xml parameter I am missing?
> 
> BR
> 
Libvirt will create a private network NS if:

1) you have an <interface/> defined for your container, or
2) <privnet/> exists under <features/>

This is documented here:

https://libvirt.org/drvlxc.html#securenetworking

And private network NS also means separate firewall and its tables.

Michal