Uneeded dependency on iptables modules

[simondeziel]

Required information

• Distribution: Ubuntu
• Distribution version: Bionic 18.04.3 64 bits
• The output of "lxc info":

  config:
  core.https_address: '[::]:8443'
  images.auto_update_interval: "0"
  api_extensions:
  - storage_zfs_remove_snapshots
  - container_host_shutdown_timeout
  - container_stop_priority
  - container_syscall_filtering
  - auth_pki
  - container_last_used_at
  - etag
  - patch
  - usb_devices
  - https_allowed_credentials
  - image_compression_algorithm
  - directory_manipulation
  - container_cpu_time
  - storage_zfs_use_refquota
  - storage_lvm_mount_options
  - network
  - profile_usedby
  - container_push
  - container_exec_recording
  - certificate_update
  - container_exec_signal_handling
  - gpu_devices
  - container_image_properties
  - migration_progress
  - id_map
  - network_firewall_filtering
  - network_routes
  - storage
  - file_delete
  - file_append
  - network_dhcp_expiry
  - storage_lvm_vg_rename
  - storage_lvm_thinpool_rename
  - network_vlan
  - image_create_aliases
  - container_stateless_copy
  - container_only_migration
  - storage_zfs_clone_copy
  - unix_device_rename
  - storage_lvm_use_thinpool
  - storage_rsync_bwlimit
  - network_vxlan_interface
  - storage_btrfs_mount_options
  - entity_description
  - image_force_refresh
  - storage_lvm_lv_resizing
  - id_map_base
  - file_symlinks
  - container_push_target
  - network_vlan_physical
  - storage_images_delete
  - container_edit_metadata
  - container_snapshot_stateful_migration
  - storage_driver_ceph
  - storage_ceph_user_name
  - resource_limits
  - storage_volatile_initial_source
  - storage_ceph_force_osd_reuse
  - storage_block_filesystem_btrfs
  - resources
  - kernel_limits
  - storage_api_volume_rename
  - macaroon_authentication
  - network_sriov
  - console
  - restrict_devlxd
  - migration_pre_copy
  - infiniband
  - maas_network
  - devlxd_events
  - proxy
  - network_dhcp_gateway
  - file_get_symlink
  - network_leases
  - unix_device_hotplug
  - storage_api_local_volume_handling
  - operation_description
  - clustering
  - event_lifecycle
  - storage_api_remote_volume_handling
  - nvidia_runtime
  - container_mount_propagation
  - container_backup
  - devlxd_images
  - container_local_cross_pool_handling
  - proxy_unix
  - proxy_udp
  - clustering_join
  - proxy_tcp_udp_multi_port_handling
  - network_state
  - proxy_unix_dac_properties
  - container_protection_delete
  - unix_priv_drop
  - pprof_http
  - proxy_haproxy_protocol
  - network_hwaddr
  - proxy_nat
  - network_nat_order
  - container_full
  - candid_authentication
  - backup_compression
  - candid_config
  - nvidia_runtime_config
  - storage_api_volume_snapshots
  - storage_unmapped
  - projects
  - candid_config_key
  - network_vxlan_ttl
  - container_incremental_copy
  - usb_optional_vendorid
  - snapshot_scheduling
  - container_copy_project
  - clustering_server_address
  - clustering_image_replication
  - container_protection_shift
  - snapshot_expiry
  - container_backup_override_pool
  - snapshot_expiry_creation
  - network_leases_location
  - resources_cpu_socket
  - resources_gpu
  - resources_numa
  - kernel_features
  - id_map_current
  - event_location
  - storage_api_remote_volume_snapshots
  - network_nat_address
  - container_nic_routes
  - rbac
  - cluster_internal_copy
  - seccomp_notify
  - lxc_features
  - container_nic_ipvlan
  - network_vlan_sriov
  - storage_cephfs
  - container_nic_ipfilter
  - resources_v2
  - container_exec_user_group_cwd
  - container_syscall_intercept
  - container_disk_shift
  - storage_shifted
  - resources_infiniband
  - daemon_storage
  api_status: stable
  api_version: "1.0"
  auth: trusted
  public: false
  auth_methods:
  - tls
  environment:
  addresses:
  - 172.24.30.4:8443
  - '[2001:a:b:c:d]:8443'
  architectures:
  - x86_64
  - i686
  certificate: |
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
  certificate_fingerprint: 5ebbcc7ec0a696b93ab076793225169c7b701cb048c1c3d6c6fb3b7f1877a44b
  driver: lxc
  driver_version: 3.2.1
  kernel: Linux
  kernel_architecture: x86_64
  kernel_features:
  netnsid_getifaddrs: "true"
  seccomp_listener: "true"
  shiftfs: "false"
  uevent_injection: "true"
  unpriv_fscaps: "true"
  kernel_version: 5.0.0-30-generic
  lxc_features:
  mount_injection_file: "true"
  network_gateway_device_route: "true"
  network_ipvlan: "true"
  network_l2proxy: "true"
  network_phys_macvlan_mtu: "true"
  seccomp_notify: "true"
  project: default
  server: lxd
  server_clustered: false
  server_name: c2d.mgmt.sdeziel.info
  server_pid: 1395
  server_version: "3.17"
  storage: zfs
  storage_version: 0.7.12-1ubuntu5

Issue description

lxd insists on having iptables related modules loaded when editing/creating networks even when ipv{4,6}.firewall: "false". Here are the steps to reproduce the issue with iptable_mangle and ip6table_nat.

Steps to reproduce

1. Remove modules modprobe -r iptable_mangle ip6table_nat
2. Prevent automatic module loading sysctl kernel.modprobe=/bin/false
3. Try to create a network

   lxc network create foo ipv4.address=none ipv4.firewall=false ipv6.address=none ipv6.firewall=false

This will fail with the error:

Error: Failed to list ipv4 rules for LXD network foo (table mangle)

4. Manually load iptable_mangle /sbin/modprobe iptable_mangle
5. Try to create a network

   lxc network create foo ipv4.address=none ipv4.firewall=false ipv6.address=none ipv6.firewall=false

This will fail with the error:

Error: Failed to list ipv6 rules for LXD network foo (table nat)

Additional information

I have no use for iptable_mangle nor ip6table_nat modules so they are not part of the short list of modules that are loaded on boot prior to disabling module loading with sysctl kernel.modules_disabled=1. This is how I noticed that lxd insisted on having them loaded.

I believe that lxd should try to list existing firewall rules but fail gracefully if it cannot and no firewall integration was requested for the network being edited/created.

[stgraber]

Right now we can't tell whether a network is getting created for the first time or updated so ignoring cleanup errors can be a problem if you were trying to turn off firewalling rather than creating a new network with it disabled.

It shouldn't be particularly hard to pass that extra data through at which point we can start being a bit smarter with this and other similar cases.