Base bridge config
name: br-0
description: VLAN Bridge 0
type: bridge
config:
security.acls.default.egress.action: reject
security.acls.default.ingress.action: reject
Port forward is in place in all test cases for 80/443 to VM RP for the bridge.
ACL Configs
name: None
description: No rules
egress: []
ingress: []
config: {}
name: HTTP
description: ''
egress:
- action: allow
protocol: tcp
source_port: 80,443
state: enabled
ingress:
- action: allow
protocol: tcp
source_port: 80,443
state: enabled
config: {}
name: SSH
description: ''
egress:
- action: allow
protocol: tcp
source_port: '22'
destination_port: '22'
state: enabled
ingress:
- action: allow
protocol: tcp
source_port: '22'
destination_port: '22'
state: enabled
config: {}
Test: Load LXD UI through VM Reverse Proxy on FQDN
| Case |
Expected |
Actual |
| No ACLs Applied |
Rejects Request |
Accepts Request |
| None ACL Applied |
Rejects Request |
Drops Request |
| HTTP ACL Applied |
Accepts Request |
Drops Request |
The observed accessibility is opposite the expected accessibility, and fail states are drops instead of the expected and configured rejects.
Test: SSH Into VM Reverse Proxy Through mDNS LQDN
| Case |
Expected |
Actual |
| No ACLs Applied |
Rejects Request |
LQDN Unresolvable |
| None ACL Applied |
Rejects Request |
LQDN Unresolvable |
| SSH ACL Applied |
Accepts Request |
LQDN Unresolvable |
Test: SSH Into VM Reverse Proxy Through mDNS Hostname
| Case |
Expected |
Actual |
| No ACLs Applied |
Rejects Request |
Accepts Request |
| None ACL Applied |
Rejects Request |
HN Unresolvable |
| SSH ACL Applied |
Accepts Request |
HN Unresolvable |
This one is weird because the LQDN ports are forwarded by LXD by default under nft. I expect this is done so users can access instances by LQDNs and hostnames. I don't think this should be the case, but it is. But that's why the No ACLs case works, because DNS is resolvable, but the Empty and SSH ACLs break that resolvability for some unknown reason, and should be explicitly allowed under the SSH ACL.
nft rulesets only seem to change on a network receiving an ACL Update, so adding a Port Forward to a Network doesn't apply to nft until you add/remove an ACL Item from the Network. Already applied ACLs do not propagate changes down stream until the specific ACL is removed and reapplied to the network.
Base bridge config
Port forward is in place in all test cases for 80/443 to VM RP for the bridge.
ACL Configs
Test: Load LXD UI through VM Reverse Proxy on FQDN
The observed accessibility is opposite the expected accessibility, and fail states are drops instead of the expected and configured rejects.
Test: SSH Into VM Reverse Proxy Through mDNS LQDN
Test: SSH Into VM Reverse Proxy Through mDNS Hostname
This one is weird because the LQDN ports are forwarded by LXD by default under nft. I expect this is done so users can access instances by LQDNs and hostnames. I don't think this should be the case, but it is. But that's why the No ACLs case works, because DNS is resolvable, but the Empty and SSH ACLs break that resolvability for some unknown reason, and should be explicitly allowed under the SSH ACL.
nft rulesets only seem to change on a network receiving an ACL Update, so adding a Port Forward to a Network doesn't apply to nft until you add/remove an ACL Item from the Network. Already applied ACLs do not propagate changes down stream until the specific ACL is removed and reapplied to the network.