Closed simondeziel closed 4 years ago
Right now we can't tell whether a network is getting created for the first time or updated so ignoring cleanup errors can be a problem if you were trying to turn off firewalling rather than creating a new network with it disabled.
It shouldn't be particularly hard to pass that extra data through at which point we can start being a bit smarter with this and other similar cases.
Required information
Issue description
lxd insists on having iptables related modules loaded when editing/creating networks even when ipv{4,6}.firewall: "false". Here are the steps to reproduce the issue with iptable_mangle and ip6table_nat.
Steps to reproduce
modprobe -r iptable_mangle ip6table_nat
sysctl kernel.modprobe=/bin/false
This will fail with the error:
/sbin/modprobe iptable_mangle
This will fail with the error:
Additional information
I have no use for iptable_mangle nor ip6table_nat modules so they are not part of the short list of modules that are loaded on boot prior to disabling module loading with
sysctl kernel.modules_disabled=1
. This is how I noticed that lxd insisted on having them loaded.I believe that lxd should try to list existing firewall rules but fail gracefully if it cannot and no firewall integration was requested for the network being edited/created.