Bridge network¶
As one of the possible network configuration types under LXD, LXD supports creating and managing network bridges.
A network bridge creates a virtual L2 Ethernet switch that instance NICs can connect to, making it possible for them to communicate with each other and the host. LXD bridges can leverage underlying native Linux bridges and Open vSwitch.
The bridge network type allows to create an L2 bridge that connects the instances that use it together into a single network L2 segment.
Bridges created by LXD are managed, which means that in addition to creating the bridge interface itself, LXD also sets up a local dnsmasq process to provide DHCP, IPv6 route announcements and DNS services to the network.
By default, it also performs NAT for the bridge.
See How to configure your firewall for instructions on how to configure your firewall to work with LXD bridge networks.
Note
Static DHCP assignments depend on the client using its MAC address as the DHCP identifier. This method prevents conflicting leases when copying an instance, and thus makes statically assigned leases work properly.
IPv6 prefix size¶
If you’re using IPv6 for your bridge network, you should use a prefix size of 64.
Larger subnets (i.e., using a prefix smaller than 64) should work properly too, but they aren’t typically that useful for SLAAC.
Smaller subnets are in theory possible (when using stateful DHCPv6 for IPv6 allocation), but they aren’t properly supported by dnsmasq and might cause problems.
If you must create a smaller subnet, use static allocation or another standalone router advertisement daemon.
Configuration options¶
The following configuration key namespaces are currently supported for the bridge network type:
bgp(BGP peer configuration)bridge(L2 interface configuration)dns(DNS server and resolution configuration)fan(configuration specific to the Ubuntu FAN overlay)ipv4(L3 IPv4 configuration)ipv6(L3 IPv6 configuration)maas(MAAS network identification)security(network ACL configuration)raw(raw configuration file content)tunnel(cross-host tunneling configuration)user(free-form key/value for user metadata)
Note
LXD uses the CIDR notation where network subnet information is required, for example, 192.0.2.0/24 or 2001:db8::/32. This does not apply to cases where a single address is required, for example, local/remote addresses of tunnels, NAT addresses or specific addresses to apply to an instance.
The following configuration options are available for the bridge network type:
| Key: | bgp.ipv4.nexthop |
| Type: | string |
| Default: | local address |
| Condition: | BGP server |
| Scope: | local |
| Key: | bgp.ipv6.nexthop |
| Type: | string |
| Default: | local address |
| Condition: | BGP server |
| Scope: | local |
| Key: | bgp.peers.NAME.address |
| Type: | string |
| Condition: | BGP server |
| Scope: | global |
| Key: | bgp.peers.NAME.asn |
| Type: | integer |
| Condition: | BGP server |
| Scope: | global |
| Key: | bgp.peers.NAME.holdtime |
| Type: | integer |
| Default: |
|
| Condition: | BGP server |
| Required: | no |
| Scope: | global |
Specify the hold time in seconds.
| Key: | bgp.peers.NAME.password |
| Type: | string |
| Default: | (no password) |
| Condition: | BGP server |
| Required: | no |
| Scope: | global |
| Key: | bridge.driver |
| Type: | string |
| Default: |
|
| Scope: | global |
Possible values are native and openvswitch.
| Key: | bridge.external_interfaces |
| Type: | string |
| Scope: | local |
Specify a comma-separated list of unconfigured network interfaces to include in the bridge.
| Key: | bridge.mode |
| Type: | string |
| Default: |
|
| Scope: | global |
Possible values are standard and fan.
| Key: | bridge.mtu |
| Type: | integer |
| Default: |
|
| Scope: | global |
The default value varies depending on whether the bridge uses a tunnel or a fan setup.
| Key: | dns.domain |
| Type: | string |
| Default: |
|
| Scope: | global |
| Key: | dns.mode |
| Type: | string |
| Default: |
|
| Scope: | global |
Possible values are none for no DNS record, managed for LXD-generated static records, and dynamic for client-generated records.
| Key: | dns.search |
| Type: | string |
| Default: |
|
| Scope: | global |
Specify a comma-separated list of domains.
| Key: | dns.zone.forward |
| Type: | string |
| Scope: | global |
Specify a comma-separated list of DNS zone names.
| Key: | dns.zone.reverse.ipv4 |
| Type: | string |
| Scope: | global |
| Key: | dns.zone.reverse.ipv6 |
| Type: | string |
| Scope: | global |
| Key: | fan.overlay_subnet |
| Type: | string |
| Default: |
|
| Condition: | fan mode |
| Scope: | global |
Use CIDR notation.
| Key: | fan.type |
| Type: | string |
| Default: |
|
| Condition: | fan mode |
| Scope: | global |
Possible values are vxlan and ipip.
| Key: | fan.underlay_subnet |
| Type: | string |
| Default: | initial value on creation: |
| Condition: | fan mode |
| Scope: | global |
Use CIDR notation.
You can set the option to auto to use the default gateway subnet.
| Key: | ipv4.address |
| Type: | string |
| Default: | initial value on creation: |
| Condition: | standard mode |
| Scope: | global |
Use CIDR notation.
You can set the option to none to turn off IPv4, or to auto to generate a new random unused subnet.
| Key: | ipv4.dhcp |
| Type: | bool |
| Default: |
|
| Condition: | IPv4 address |
| Scope: | global |
| Key: | ipv4.dhcp.expiry |
| Type: | string |
| Default: |
|
| Condition: | IPv4 DHCP |
| Scope: | global |
| Key: | ipv4.dhcp.gateway |
| Type: | string |
| Default: | IPv4 address |
| Condition: | IPv4 DHCP |
| Scope: | global |
| Key: | ipv4.dhcp.ranges |
| Type: | string |
| Default: | all addresses |
| Condition: | IPv4 DHCP |
| Scope: | global |
Specify a comma-separated list of IPv4 ranges in FIRST-LAST format.
| Key: | ipv4.firewall |
| Type: | bool |
| Default: |
|
| Condition: | IPv4 address |
| Scope: | global |
| Key: | ipv4.nat |
| Type: | bool |
| Default: |
|
| Condition: | IPv4 address |
| Scope: | global |
| Key: | ipv4.nat.address |
| Type: | string |
| Condition: | IPv4 address |
| Scope: | global |
| Key: | ipv4.nat.order |
| Type: | string |
| Default: |
|
| Condition: | IPv4 address |
| Scope: | global |
Set this option to before to add the NAT rules before any pre-existing rules, or to after to add them after the pre-existing rules.
| Key: | ipv4.ovn.ranges |
| Type: | string |
| Scope: | global |
Specify a comma-separated list of IPv4 ranges in FIRST-LAST format.
| Key: | ipv4.routes |
| Type: | string |
| Condition: | IPv4 address |
| Scope: | global |
Specify a comma-separated list of IPv4 CIDR subnets.
| Key: | ipv4.routing |
| Type: | bool |
| Default: |
|
| Condition: | IPv4 address |
| Scope: | global |
| Key: | ipv6.address |
| Type: | string |
| Default: | initial value on creation: |
| Condition: | standard mode |
| Scope: | global |
Use CIDR notation.
You can set the option to none to turn off IPv6, or to auto to generate a new random unused subnet.
| Key: | ipv6.dhcp |
| Type: | bool |
| Default: |
|
| Condition: | IPv6 address |
| Scope: | global |
| Key: | ipv6.dhcp.expiry |
| Type: | string |
| Default: |
|
| Condition: | IPv6 DHCP |
| Scope: | global |
| Key: | ipv6.dhcp.ranges |
| Type: | string |
| Default: | all addresses |
| Condition: | IPv6 stateful DHCP |
| Scope: | global |
Specify a comma-separated list of IPv6 ranges in FIRST-LAST format.
| Key: | ipv6.dhcp.stateful |
| Type: | bool |
| Default: |
|
| Condition: | IPv6 DHCP |
| Scope: | global |
| Key: | ipv6.firewall |
| Type: | bool |
| Default: |
|
| Condition: | IPv6 DHCP |
| Scope: | global |
| Key: | ipv6.nat |
| Type: | bool |
| Default: |
|
| Condition: | IPv6 address |
| Scope: | global |
| Key: | ipv6.nat.address |
| Type: | string |
| Condition: | IPv6 address |
| Scope: | global |
| Key: | ipv6.nat.order |
| Type: | string |
| Default: |
|
| Condition: | IPv6 address |
| Scope: | global |
Set this option to before to add the NAT rules before any pre-existing rules, or to after to add them after the pre-existing rules.
| Key: | ipv6.ovn.ranges |
| Type: | string |
| Scope: | global |
Specify a comma-separated list of IPv6 ranges in FIRST-LAST format.
| Key: | ipv6.routes |
| Type: | string |
| Condition: | IPv6 address |
| Scope: | global |
Specify a comma-separated list of IPv6 CIDR subnets.
| Key: | ipv6.routing |
| Type: | bool |
| Condition: | IPv6 address |
| Scope: | global |
| Key: | maas.subnet.ipv4 |
| Type: | string |
| Condition: | IPv4 address; using the |
| Scope: | global |
| Key: | maas.subnet.ipv6 |
| Type: | string |
| Condition: | IPv6 address; using the |
| Scope: | global |
| Key: | raw.dnsmasq |
| Type: | string |
| Scope: | global |
| Key: | security.acls |
| Type: | string |
| Scope: | global |
Specify a comma-separated list of network ACLs.
Also see Bridge limitations.
| Key: | security.acls.default.egress.action |
| Type: | string |
| Condition: |
|
| Scope: | global |
The specified action is used for all egress traffic that doesn’t match any ACL rule.
| Key: | security.acls.default.egress.logged |
| Type: | bool |
| Condition: |
|
| Scope: | global |
| Key: | security.acls.default.ingress.action |
| Type: | string |
| Condition: |
|
| Scope: | global |
The specified action is used for all ingress traffic that doesn’t match any ACL rule.
| Key: | security.acls.default.ingress.logged |
| Type: | bool |
| Condition: |
|
| Scope: | global |
| Key: | tunnel.NAME.group |
| Type: | string |
| Condition: |
|
This address is used if tunnel.NAME.local and tunnel.NAME.remote aren’t set.
| Key: | tunnel.NAME.id |
| Type: | integer |
| Condition: |
|
| Key: | tunnel.NAME.interface |
| Type: | string |
| Condition: |
|
| Key: | tunnel.NAME.local |
| Type: | string |
| Condition: |
|
| Required: | not required for multicast |
| Key: | tunnel.NAME.port |
| Type: | integer |
| Default: |
|
| Condition: |
|
| Key: | tunnel.NAME.protocol |
| Type: | string |
| Condition: | standard mode |
Possible values are vxlan and gre.
| Key: | tunnel.NAME.remote |
| Type: | string |
| Condition: |
|
| Required: | not required for multicast |
| Key: | tunnel.NAME.ttl |
| Type: | string |
| Default: |
|
| Condition: |
|
Supported features¶
The following features are supported for the bridge network type:
Firewall issues¶
See How to configure your firewall for instructions on how to troubleshoot firewall issues.