On 03/20/2015 01:35 PM, Lentes, Bernd wrote: > Bernd wrote: > > >> -----Original Message----- >> From: libvirt-users-bounces@xxxxxxxxxx [mailto:libvirt-users- >> bounces@xxxxxxxxxx] On Behalf Of Lentes, Bernd >> Sent: Thursday, March 19, 2015 5:12 PM >> To: libvirt-users@xxxxxxxxxx >> Subject: Re: still possible to use traditional bridge network >> setup ? >> >> Laine wrote: >> >> > ... > >> Hi Laine, >> >> the reason was the firewall. Thanks for your tip ! >> >> > Hi, > > now the more precise explaination: > I booted the host with a normal eth0 and nothing else. Firewall rules were evaluated. I created and configured the bridge. After that "systemctl restart network". Everything worked as expected. > I configured the vm to use the bridge and started it. The vm has an eth, but no ip, no route, no ns. " sysctl net.bridge.bridge-nf-call-iptables" brought a 1. I didn't change it. Then I restartet the firewall ! After that I have a new rule (and network is running): > " Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 34148 4651K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged The above rule is effectively the same as setting net.bridge.bridge-nf-call-iptables to 0. > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-FWD-ILL-ROUTING" > > man iptables-extensions says: > " physdev: This module matches on the bridge port input and output devices enslaved to a bridge device. This module is a part of the infrastructure that > enables a transparent bridging IP firewall and is only useful for kernel versions above version 2.5.44." > > and further more: > " --physdev-is-bridged: Matches if the packet is being bridged and therefore is not being routed. This is only useful in the FORWARD and POSTROUTING chains." > > When I booted the host for the 1st time, the bridge didn't exist, so no firewall rule for the bridge. After creating the bridge and restarting the firewall, it recognizes the bridge and creates dynamically this rule. I didn't change " net.bridge.bridge-nf-call-iptables". Still 1. > > Bernd > > > Helmholtz Zentrum München > Deutsches Forschungszentrum für Gesundheit und Umwelt (GmbH) > Ingolstädter Landstr. 1 > 85764 Neuherberg > www.helmholtz-muenchen.de > Aufsichtsratsvorsitzende: MinDir´in Bärbel Brumme-Bothe > Geschäftsführer: Prof. Dr. Günther Wess, Dr. Nikolaus Blum, Dr. Alfons Enhsen > Registergericht: Amtsgericht München HRB 6466 > USt-IdNr: DE 129521671 > > _______________________________________________ > libvirt-users mailing list > libvirt-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/libvirt-users _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
