On 03/20/2015 01:35 PM, Lentes, Bernd wrote: > Bernd wrote: > > >> -----Original Message----- >> From: libvirt-users-boun...@redhat.com [mailto:libvirt-users- >> boun...@redhat.com] On Behalf Of Lentes, Bernd >> Sent: Thursday, March 19, 2015 5:12 PM >> To: libvirt-users@redhat.com >> Subject: Re: [libvirt-users] still possible to use traditional bridge network >> setup ? >> >> Laine wrote: >> >> > ... > >> Hi Laine, >> >> the reason was the firewall. Thanks for your tip ! >> >> > Hi, > > now the more precise explaination: > I booted the host with a normal eth0 and nothing else. Firewall rules were > evaluated. I created and configured the bridge. After that "systemctl restart > network". Everything worked as expected. > I configured the vm to use the bridge and started it. The vm has an eth, but > no ip, no route, no ns. " sysctl net.bridge.bridge-nf-call-iptables" brought > a 1. I didn't change it. Then I restartet the firewall ! After that I have a > new rule (and network is running): > " Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 34148 4651K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > PHYSDEV match --physdev-is-bridged
The above rule is effectively the same as setting net.bridge.bridge-nf-call-iptables to 0. > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 > limit: avg 3/min burst 5 LOG flags 6 level 4 prefix > "SFW2-FWD-ILL-ROUTING" > > man iptables-extensions says: > " physdev: This module matches on the bridge port input and output devices > enslaved to a bridge device. This module is a part of the infrastructure > that > enables a transparent bridging IP firewall and is only useful for kernel > versions above version 2.5.44." > > and further more: > " --physdev-is-bridged: Matches if the packet is being bridged and therefore > is not being routed. This is only useful in the FORWARD and POSTROUTING > chains." > > When I booted the host for the 1st time, the bridge didn't exist, so no > firewall rule for the bridge. After creating the bridge and restarting the > firewall, it recognizes the bridge and creates dynamically this rule. I > didn't change " net.bridge.bridge-nf-call-iptables". Still 1. > > Bernd > > > Helmholtz Zentrum München > Deutsches Forschungszentrum für Gesundheit und Umwelt (GmbH) > Ingolstädter Landstr. 1 > 85764 Neuherberg > www.helmholtz-muenchen.de > Aufsichtsratsvorsitzende: MinDir´in Bärbel Brumme-Bothe > Geschäftsführer: Prof. Dr. Günther Wess, Dr. Nikolaus Blum, Dr. Alfons Enhsen > Registergericht: Amtsgericht München HRB 6466 > USt-IdNr: DE 129521671 > > _______________________________________________ > libvirt-users mailing list > libvirt-users@redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users _______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
