Home / server / Questions / 522478
Accepted
AlexD
Asked: 2013-07-12 02:14:30 +0800 CST

LXC container with bridge networking exposes fake MAC address to external network

  • 772

I'm running LXC container (lxc 0.7.2-1) on Debian squeeze with bridge networking configured by the book with public IP and I have problem that it exposes fake MAC address from LXC container to external network where it gets blocked by switch port security so preventing LXC container from communicating with the world. I run another LXC container on Ubuntu 12.04.2 LTS (lxc 0.7.5-3ubuntu67) with same network configuration but I don't have any problems as it doesn't expose fake MACs to external network and all communications goes with host's MAC.

Currently I'm trying to find difference in network configuration between hosts but without much success. Could it be possibly version dependent behavior of lxc itself?

Debian /etc/network/interfaces

auto br0
iface br0 inet static
    bridge_ports eth0
    bridge_fd 0
    bridge_stp off
    bridge_maxwait 0
    address   y.y.y.9
    netmask   255.255.255.192
    broadcast y.y.y.63
    gateway   y.y.y.1
    pre-up iptables-restore < /etc/iptables.up.rules

Debian LXC network config

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = fe:95:57:4b:b4:9b
lxc.network.ipv4 = y.y.y.12/26

Ubuntu /etc/network/interfaces

auto br0
iface br0 inet static
    bridge_ports eth0
    bridge_fd 0
    bridge_stp off
    bridge_maxwait 0
    address   z.z.z.146
    netmask   255.255.255.0
    broadcast z.z.z.255
    gateway   z.z.z.1
    pre-up iptables-restore < /etc/iptables.rules
    up route add x.x.x.1 br0

Ubuntu LXC network config

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.ipv4 = x.x.x.1/32
lxc.network.hwaddr = 00:16:3e:87:b5:b9
networking

1 Answers

  1. Best Answer

    The difference is that LXC container on Ubuntu uses IP address from different subnet and has its host's IP as default gateway when LXC container on Debian uses IP from the same subnet as host and has its default gateway the same as host's.

    When LXC container has IP from different subnet than its host and uses its host as default gateway then packets from LXC container are routed and when they leave host's network interface they have host's MAC. When LXC container is on the same subnet as host and uses the same gateway then packets are bridged and retain LXC's fake MAC. My solution is to force routing through host even if they are on the same subnet. In this case my LXC container has following /etc/network/interfaces:

    auto eth0
iface eth0 inet static
    address   y.y.y.12
    netmask   255.255.255.255
    post-up route add y.y.y.9 dev eth0
    post-up route add default gw y.y.y.9

    and LXC host has following in sysctl.conf

    net.ipv4.ip_forward=1
net.ipv4.conf.bond0.proxy_arp = 1

    and in /etc/network/interfaces:

     auto bond0
 iface bond0 inet static
   address y.y.y.9
   netmask 255.255.255.192
   broadcast y.y.y.63
   gateway y.y.y.1

 auto lxcbr0
 iface lxcbr0 inet static
    bridge_ports none
    bridge_fd 0
    bridge_stp off
    bridge_maxwait 0
    address   192.168.120.1
    netmask   255.255.255.0
    up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
    up /sbin/ip route add to y.y.y.12 dev lxcbr0

    I have removed irrelevant options from configs above.

    • 4