No IPv4

Hi, I installed LXC/LXD and LXCFS on NixOS using the NixOS module provided by nixpkgs.
I then set up with lxd init and accepted all defaults (I use btrfs).
Then I installed an Ubuntu 24.04 image. For some reason, the resulting container doesn’t have an IPv4 address, which is a problem since my network doesn’t support IPv6.
I am able to SSH into the image successfully from the host machine.

Could you check if the 24.04 instance you created has any issue with systemd units? lxc exec <instance> -- systemctl --failed should provide a list of failing units if any.

Also, please let us know your LXD version, kernel version and basic reproducing steps (how and which image you used to create the instance, etc). Thanks!

~$ lxc exec ubuntu -- systemctl --failed

0 loaded units listed.
~$ lxc --version
5.21.0 LTS
~$ uname -a
Linux nailbox 6.9.3 #1-NixOS SMP PREEMPT_DYNAMIC Thu May 30 07:45:04 UTC 2024 x86_64 GNU/Linux

I created the instance with lxc launch ubuntu:24.04 ubuntu

I read in the documentation that something like this can be caused by firewalls or Docker. I uninstalled Docker and have the following iptables rules:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
nixos-fw   all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain nixos-fw (1 references)
target     prot opt source               destination
nixos-fw-accept  all  --  anywhere             anywhere
nixos-fw-accept  all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
nixos-fw-accept  tcp  --  anywhere             anywhere             tcp dpts:sesi-lm:cft-3
nixos-fw-accept  udp  --  anywhere             anywhere             udp dpt:mdns
nixos-fw-accept  udp  --  anywhere             anywhere             udp dpts:sesi-lm:cft-3
nixos-fw-accept  icmp --  anywhere             anywhere             icmp echo-request
nixos-fw-log-refuse  all  --  anywhere             anywhere

Chain nixos-fw-accept (6 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain nixos-fw-log-refuse (1 references)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN LOG level info prefix "refused connection: "
nixos-fw-refuse  all  --  anywhere             anywhere             PKTTYPE != unicast
nixos-fw-refuse  all  --  anywhere             anywhere

Chain nixos-fw-refuse (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Ah, interesting, my journal contains entries such as this:

Jun 12 20:54:36 nailbox kernel: refused connection: IN=lxdbr0 OUT= MAC=<#REDACTED#> SRC=<#REDACTED#> DST=<#REDACTED#> LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=926781 PROTO=TCP SPT=40894 DPT=53 WINDOW=64800 RES=0x00 SYN URGP=0

Based on your ruleset, I think the following rules would fix the issue:

iptables -I nixos-fw -i lxdbr0 -j nixos-fw-accept
iptables -I nixos-fw -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept

Thanks, I’ll look into how I can configure this with NixOS

Will this allow all connections over lxdbr0? I’m trying to configure this via the NixOS configuration and if so, I’d be able to just add a blanket allow for all ports on lxdbr0

In plain English, the first rule would accept the traffic if the input device is lxdbr0. The second would allow established connections if their output device is lxdbr0, this is for the return traffic essentially.

1 Like

This worked. Thanks.

1 Like