Fix LXC firewall with DHCP, Fixes #40058

roles/nudgis/lxc/README.md

@@ -7,7 +7,7 @@ Used by netcapture for LXC installation/configuration
 
 Available variables are listed below, along with the descriptions and the default values.
 
-`lxc_network_type`: LXC network type
+`lxc_network_type`: LXC network type, can be `masquerade_bridge` or `host_bridge`
 ```
 lxc_network_type: "masquerade_bridge"
 ```

roles/nudgis/lxc/defaults/main.yml

 ---
 
-# LXC network type
+# LXC network type, can be `masquerade_bridge` or `host_bridge`
 lxc_network_type: "masquerade_bridge"
 
 ...

roles/nudgis/lxc/handlers/main.yml

@@ -12,4 +12,6 @@
     name: lxc-net
     state: restarted
 
+- ansible.builtin.import_tasks: ../../shared/handlers/nftables.yml
+
 ...

roles/nudgis/lxc/tasks/base.yml

 ---
 
-- name: "Host bridge configuration"
+# Deploy bridge configuration, it can be :
+# - Host bridge (which disable the default LXC lxcbr0 bridge)
+# - Masquerade bridge (named br0)
+- name: "Container bridge network configuration"
+  notify: "Restart lxc-net"
+  ansible.builtin.copy:
+    src: lxc-net.{{ lxc_network_type }}
+    dest: /etc/default/lxc-net
+    mode: "644"
+
+- name: "Host bridge information"
   when: lxc_network_type == 'host_bridge'
   block:
-    - name: "Masquerade bridge configuration disabling"
-      notify: "Restart lxc-net"
-      ansible.builtin.copy:
-        src: lxc-net.host_bridge
-        dest: /etc/default/lxc-net
-        mode: "644"
-
     - name: "Ask confirmation"
       ansible.builtin.pause:
         prompt: |
@@ -18,7 +21,7 @@
           Host bridge configuration must be done manually, and named: br0
           Documentation (section host device as bridge): https://wiki.debian.org/LXC/SimpleBridge
           Continue (yes/no)
-          -------------------------------------------------------------------------------------------
+          ------------------------------------------------------------------------------------------
       register: confirm_continue
       no_log: true
 
@@ -27,17 +30,15 @@
         msg: 'Installation aborted'
       when: not ((confirm_continue.user_input | bool) or (confirm_continue.user_input | length == 0))
 
-- name: "Masquerade bridge configuration"
-  when: lxc_network_type == 'masquerade_bridge'
-  block:
-    - name: "Container network configuration"
-      notify: "Restart lxc-net"
-      ansible.builtin.copy:
-        src: lxc-net.masquerade_bridge
-        dest: /etc/default/lxc-net
-        mode: "644"
+# Should be a notify to restart lxc-net and nftables here
+# but this is not possible with import_role
+- ansible.builtin.import_role:
+    name: "nudgis/shared"
+    tasks_from: "firewall_rules_files.yml"
+  vars:
+    firewall_rules_files: "{{ lxc_firewall_rules_files }}"
 
-- name: "Default container configuration"
+- name: "Create default container configuration"
   notify: "Restart lxc"
   ansible.builtin.template:
     src: lxc-default.j2

roles/nudgis/lxc/tasks/install.yml

@@ -5,9 +5,6 @@
     name: "nudgis/shared"
     tasks_from: "apt_install.yml"
   vars:
-    apt_packages:
-      - lxc
-      - lxcfs
-      - bridge-utils
+    apt_packages: "{{ lxc_packages }}"
 
 ...

roles/nudgis/lxc/vars/main.yml

+---
+
+# Packages required for the group
+lxc_packages:
+  - lxc
+  - lxcfs
+  - bridge-utils
+
+# Group firewall rules filename, see roles/shared/files/nftables/
+lxc_firewall_rules_files:
+  - lxc
+
+...

roles/nudgis/shared/files/nftables/lxc.nft

+# Used only for DHCP, otherwhise not necessary
+# Override inet > forward chain to policy ACCEPT
+table inet filter {
+    chain forward {
+        type filter hook forward priority 0; policy accept;
+   }
+}
+# - for masquerade bridge
+add inet filter input iifname "lxcbr0" udp dport { 53, 67 } accept
+add inet filter input iifname "lxcbr0" tcp dport { 53, 67 } accept
+# - for host bridge
+add inet filter input iifname "vmbr0" udp dport { 53, 67 } accept
+add inet filter input iifname "vmbr0" tcp dport { 53, 67 } accept