LXC container with bridge networking exposes fake MAC address to external network
The difference is that LXC container on Ubuntu uses IP address from different subnet and has its host's IP as default gateway when LXC container on Debian uses IP from the same subnet as host and has its default gateway the same as host's.
When LXC container has IP from different subnet than its host and uses its host as default gateway then packets from LXC container are routed and when they leave host's network interface they have host's MAC. When LXC container is on the same subnet as host and uses the same gateway then packets are bridged and retain LXC's fake MAC. My solution is to force routing through host even if they are on the same subnet. In this case my LXC container has following /etc/network/interfaces:
auto eth0
iface eth0 inet static
address y.y.y.12
netmask 255.255.255.255
post-up route add y.y.y.9 dev eth0
post-up route add default gw y.y.y.9
and LXC host has following in sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.bond0.proxy_arp = 1
and in /etc/network/interfaces:
auto bond0
iface bond0 inet static
address y.y.y.9
netmask 255.255.255.192
broadcast y.y.y.63
gateway y.y.y.1
auto lxcbr0
iface lxcbr0 inet static
bridge_ports none
bridge_fd 0
bridge_stp off
bridge_maxwait 0
address 192.168.120.1
netmask 255.255.255.0
up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
up /sbin/ip route add to y.y.y.12 dev lxcbr0
I have removed irrelevant options from configs above.
Related videos on Youtube
AlexD
I'm sysadmin and software developer with more than a decade of experience (see CV for details). For ten years as ISP lead engineer I've helped to grow a small ISP from a hundred customers to few thousands. For last few years I work remotely as independent consultant and I'm mostly focused on building high performance web serveres (nginx, varnish, unicorn), application deployment (capistrano), cloud/virtualized servers (Amazon EC2, Xen Virtualization), configuration management (chef/puppet) and server monitoring (monit, nagios, munin). To enquire about my availability please send message to enquiry ( at ) alexeydemidov ( dot ) com.
Updated on September 18, 2022Comments
-
AlexD over 1 year
I'm running LXC container (lxc 0.7.2-1) on Debian squeeze with bridge networking configured by the book with public IP and I have problem that it exposes fake MAC address from LXC container to external network where it gets blocked by switch port security so preventing LXC container from communicating with the world. I run another LXC container on Ubuntu 12.04.2 LTS (lxc 0.7.5-3ubuntu67) with same network configuration but I don't have any problems as it doesn't expose fake MACs to external network and all communications goes with host's MAC.
Currently I'm trying to find difference in network configuration between hosts but without much success. Could it be possibly version dependent behavior of lxc itself?
Debian /etc/network/interfaces
auto br0 iface br0 inet static bridge_ports eth0 bridge_fd 0 bridge_stp off bridge_maxwait 0 address y.y.y.9 netmask 255.255.255.192 broadcast y.y.y.63 gateway y.y.y.1 pre-up iptables-restore < /etc/iptables.up.rules
Debian LXC network config
lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.hwaddr = fe:95:57:4b:b4:9b lxc.network.ipv4 = y.y.y.12/26
Ubuntu /etc/network/interfaces
auto br0 iface br0 inet static bridge_ports eth0 bridge_fd 0 bridge_stp off bridge_maxwait 0 address z.z.z.146 netmask 255.255.255.0 broadcast z.z.z.255 gateway z.z.z.1 pre-up iptables-restore < /etc/iptables.rules up route add x.x.x.1 br0
Ubuntu LXC network config
lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth0 lxc.network.ipv4 = x.x.x.1/32 lxc.network.hwaddr = 00:16:3e:87:b5:b9