Cannot access guest with bridged networking when using firewalld (nftables backend) on Debian 12 Bookworm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



firewalld version 1.3.0-1
libvirt version 9.0.0-4
network-manager version 1.42.4-1

# firewall-cmd --get-active-zones
libvirt
  interfaces: br28
public
  interfaces: dac0 dac0.100 dac0.28 ftth

# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: dac0 dac0.100 dac0.28 ftth
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

dac0 is a Direct Attach cable with several vlans.
dac0.100 is the vlan where I create the ppoe connection from my FTTH provider.
ftth is the ppp name.
dac0.28 is the vlan for the public /28 IPv4 subnet.
br28 is the bridge where dac0.28 is attached.

# brctl show
bridge name	bridge id		STP enabled	interfaces
br28		8000.d2605c025b1d	no		dac0.28
							vnet1

# firewall-cmd --list-all --zone=libvirt
libvirt (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br28
  sources:
  services: dhcp dhcpv6 dns ssh tftp
  ports:
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
	rule priority="32767" reject

# nft list tables
table inet firewalld
table ip mangle

# nft list table ip mangle
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
oifname "ftth" tcp flags syn / syn,rst tcp option maxseg size 1400-65495 counter packets 0 bytes 0 tcp option maxseg size set rt mtu
	}
}

The previous rule is created by NetworkManager to clamp-mss-to-pmtu for the ftth pppoe.

This is how I create the bridge and the dac0.28 vlan with NetworkManager:

# nmcli con add ifname br28 type bridge con-name br28 ipv4.method manual ipv4.addresses MY_IP/28 connection.zone libvirt # nmcli connection add type vlan con-name dac0.28 ifname dac0.28 vlan.parent dac0 vlan.id 28 ipv4.method disabled ipv6.method disabled master br28 slave-type bridge

I also have isc-dhcp-server, wide-dhcpv6-client and radvd running.

# nmcli con
NAME      UUID                                  TYPE      DEVICE
ftth      f370639c-2712-49c2-9749-e39f17102346  pppoe     ftth
br28      e4d2aad3-ef2d-4ac0-bda5-58471f21655c  bridge    br28
lo        f0327b03-bbc3-4078-8bd1-5225df0ce153  loopback  lo
vnet1     25ae75cd-1606-4fd7-8213-09f4ef1280c4  tun       vnet1
dac0      040e747e-fd7e-41e9-b6a6-ccec9e73c022  ethernet  dac0
dac0.100  147c1632-2c60-42f3-a97a-a6733ef69f4c  vlan      dac0.100
dac0.28   cefb4bf3-dda9-465a-95d0-512ac1294a5b  vlan      dac0.28
enp1s0    81a44a95-efdc-47e2-9c12-76a0a140ca5a  ethernet  --

The previous are all dark green expect lo and vnet1 which are light green (externally managed) and enp1s0 which is white (disconnected).

The br_netfilter module is not loaded and thus net.bridge.bridge-nf-call-ip6tables, net.bridge.bridge-nf-call-iptables, net.bridge.bridge-nf-call-arptables are not even exposed to /proc/sys/net/bridge.

I don't have any nwfilter enabled yet, I'd like to get the basics working first.

The guest gets an IP (both v4 and v6) and can reach the internet. Unfortunately the guest cannot be reached from the outside:

$ ping GUEST_IP
PING GUEST_IP (GUEST_IP) 56(84) bytes of data.
From FTTH_IP icmp_seq=1 Packet filtered

$ ssh GUEST_IP
ssh: connect to host GUEST_IP port 22: No route to host

Routed networking works fine, but libvirt is in charge to create everything in that case (creating the bridge, assigning the libvirt-routed zone, enabling the libvirt-routed policies, etc) while bridged networking must be configured manually (at least on non-RedHat distros).

What's wrong? It looks suspiciously similar to https://bbs.archlinux.org/viewtopic.php?id=274670

Thanks,
Niccolo' Belli




[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux