Public IP on virtual machine network issue

Tom Ammon thomasammon at gmail.com
Mon Feb 14 15:18:54 UTC 2022 

Laine,

Though I can't remember the particulars, I have a vague memory of the
sysctl settings in that article indeed solving the problem of traffic not
being forwarded on the bridge when I had configured no filtering on the
guest - hence my attempt to share what worked for me. Perhaps it would be
good to update that page. I looked around for a link to create an account
on the libvirt wiki but could find none. I'm happy to go do some more
research around the items you mentioned and add a quick note to that page
to keep from leading people astray in the future, if I could get an account
on the wiki. Do you know how I would do that?

Thanks,
Tom

On Mon, Feb 14, 2022 at 8:12 AM Laine Stump <laine at redhat.com> wrote:

>
>
> On 2/13/22 5:38 PM, Tom Ammon wrote:
> > Can you post the output of iptables -L?
> >
> > By default, the bridge module in the kernel sends packets traversing the
> > bridge to iptables (in the FORWARD chain I believe) for processing. So
> > if you have configured a DENY policy on the FORWARD chain, or are
> > otherwise filtering in the forward chain, you'll be affecting packets
> > traversing the bridge. Check out this page for details on how to change
> > this behavior:
> > https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf
> > <https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf
> >
>
> That information is *very* out of date; the situation has changed quite
> a lot since that was written in 2014.
>
> Filtering of packets traversing a bridge device are now only filtered if
> the br_netfilter module is loaded, which isn't done by default. It *is*
> autoloaded if certain types of iptables rules are added(I can't remember
> the details of the type of rule though - there was a bug in iptables a
> year or so ago where autoload of br_netfilter was triggered by libvirt
> attempting to *remove* a rule of whatever type it was).
>
> Anyway, unless "lsmod | grep br_netfilter" shows that you have
> br_netfilter loaded, this entire path is a red herring (if you do have
> it loaded, unload it, and try to figure out why it was loaded).
>
> (Interestingly, this is the 2nd time this particular outdated page has
> come up in the last week. Has something else broken somewhere that's
> causing people to search out this page?)
>
> >
> > Tom
> >
> > On Sun, Feb 13, 2022 at 4:08 PM Marcin Groszek <marcin at voipplus.net
> > <mailto:marcin at voipplus.net>> wrote:
> >
> >     I have been struggling with this for weeks and I was unable to find
> an
> >     answer on line. Perhaps someone here can help me.
> >
> >     Oracle linux 8 running virtualization:
> >
> >     hardware node has a public IP address on interface bridge0 and
> physical
> >     eno1 is a member of the bridge0
> >
> >     a virtual OS has interface bridged to lan and source is bridge0, Ip
> >     address of virtual OS is also a public from same class as the
> >     hardware node.
> >
> >     I can route in and out of virtual, I can ping from hardware node to
> >     virtual and vice versa, so the routing works as it should, sort of.
> >
> >     When I try tracepath or traceroute from outside to virtual I get !H
> on
> >     last hup
> >
> >     same result when I try to do the same form hardware node to virtual
> >     I get !H
> >
> >     Also, when I telnet (TCP) to a specific port on virtual where I have
> a
> >     daemon LISTENING OR NOT I get: No route to host. Same experiment
> works
> >     just fine for ssh port.
> >
> >     Firewalld is not running, and I just have very basic iptables rules
> >     like
> >     allowing external address block to ssh to hardware node and to
> virtual
> >     dropping connections from all other sources
> >
> >     This issue presented it self when I attempted to setup a galera node
> on
> >     virtual and ports 4567 is responding but 4568 and 4444 are not, but
> the
> >     daemons are running and I can clearly see lsoft showing "LISTENING"
> >
> >     I capture the traffic and the tcp as well as udp are getting to the
> >     virtual. Is there a preconfigured netfiltering that I am not aware
> of?
> >
> >     What am I missing?
> >
> >
> >
> >
> >     --
> >     Best Regards:
> >     Marcin Groszek
> >     Business Voip Resource.
> >     http://www.voipplus.net <http://www.voipplus.net>
> >
> >
> >
> > --
> >
> -----------------------------------------------------------------------------
> > Tom Ammon
> > M: (737) 400-9042
> > thomasammon at gmail.com <mailto:thomasammon at gmail.com>
> >
> -----------------------------------------------------------------------------
>
>

-- 
-----------------------------------------------------------------------------
Tom Ammon
M: (737) 400-9042
thomasammon at gmail.com
-----------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20220214/e6ca93b2/attachment.htm>

More information about the libvirt-users mailing list