LXC container with bridge networking exposes fake MAC address to external network
I'm running LXC container (lxc 0.7.2-1) on Debian squeeze with bridge networking configured by the book with public IP and I have problem that it exposes fake MAC address from LXC container to external network where it gets blocked by switch port security so preventing LXC container from communicating with the world. I run another LXC container on Ubuntu 12.04.2 LTS (lxc 0.7.5-3ubuntu67) with same network configuration but I don't have any problems as it doesn't expose fake MACs to external network and all communications goes with host's MAC.
Currently I'm trying to find difference in network configuration between hosts but without much success. Could it be possibly version dependent behavior of lxc itself?
Debian /etc/network/interfaces
auto br0
iface br0 inet static
bridge_ports eth0
bridge_fd 0
bridge_stp off
bridge_maxwait 0
address y.y.y.9
netmask 255.255.255.192
broadcast y.y.y.63
gateway y.y.y.1
pre-up iptables-restore < /etc/iptables.up.rules
Debian LXC network config
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = fe:95:57:4b:b4:9b
lxc.network.ipv4 = y.y.y.12/26
Ubuntu /etc/network/interfaces
auto br0
iface br0 inet static
bridge_ports eth0
bridge_fd 0
bridge_stp off
bridge_maxwait 0
address z.z.z.146
netmask 255.255.255.0
broadcast z.z.z.255
gateway z.z.z.1
pre-up iptables-restore < /etc/iptables.rules
up route add x.x.x.1 br0
Ubuntu LXC network config
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.ipv4 = x.x.x.1/32
lxc.network.hwaddr = 00:16:3e:87:b5:b9
Solution 1:
The difference is that LXC container on Ubuntu uses IP address from different subnet and has its host's IP as default gateway when LXC container on Debian uses IP from the same subnet as host and has its default gateway the same as host's.
When LXC container has IP from different subnet than its host and uses its host as default gateway then packets from LXC container are routed and when they leave host's network interface they have host's MAC. When LXC container is on the same subnet as host and uses the same gateway then packets are bridged and retain LXC's fake MAC. My solution is to force routing through host even if they are on the same subnet. In this case my LXC container has following /etc/network/interfaces:
auto eth0
iface eth0 inet static
address y.y.y.12
netmask 255.255.255.255
post-up route add y.y.y.9 dev eth0
post-up route add default gw y.y.y.9
and LXC host has following in sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.bond0.proxy_arp = 1
and in /etc/network/interfaces:
auto bond0
iface bond0 inet static
address y.y.y.9
netmask 255.255.255.192
broadcast y.y.y.63
gateway y.y.y.1
auto lxcbr0
iface lxcbr0 inet static
bridge_ports none
bridge_fd 0
bridge_stp off
bridge_maxwait 0
address 192.168.120.1
netmask 255.255.255.0
up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
up /sbin/ip route add to y.y.y.12 dev lxcbr0
I have removed irrelevant options from configs above.