[fedora-virt] KVM bridge wonkiness in Fedora19

Dennis Jacobfeuerborn dennisml at conversis.de
Wed Aug 7 16:53:02 UTC 2013 

What are the values for the bridge-nf-call-* proc settings on your system?

[root at nexus ~]# ls -l /proc/sys/net/bridge/bridge-nf-call-*
-rw-r--r--. 1 root root 0  7. Aug 18:47 
/proc/sys/net/bridge/bridge-nf-call-arptables
-rw-r--r--. 1 root root 0  7. Aug 18:47 
/proc/sys/net/bridge/bridge-nf-call-ip6tables
-rw-r--r--. 1 root root 0  7. Aug 18:47 
/proc/sys/net/bridge/bridge-nf-call-iptables

The bridge traffic probably gets firewalled. I see an "ACCEPT" rule with 
source 192.168.122.0/24 so if you are using this network for a guest 
then that would exlain why you can access the outside world but cannot 
ping the VM's from elsewhere. Try to set the above three settings to 0 
and test again.

Regards,
   Dennis

On 07.08.2013 18:26, Lonni J Friedman wrote:
> Currently, I have the following (defaults):
> ##############
> # iptables --list --numeric
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24     ctstate
> RELATED,ESTABLISHED
> ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0
> reject-with icmp-port-unreachable
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0
> reject-with icmp-port-unreachable
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> ################
>
> This is identical to what I see on a Fedora16 host where the VMs are
> accessible over the network.  What kind of rule would you suggest I
> add?
>
>
>
> On Wed, Aug 7, 2013 at 1:52 AM, Daniel Sanabria <sanabria.d at gmail.com> wrote:
>> can you share your iptables config (iptables --list --numeric)?
>>
>> make sure you have a forward rule that matches when the physical device is
>> bridge.
>>
>> Cheers,
>>
>> Daniel
>>
>>
>> On 7 August 2013 06:19, Udayendu Sekhar kar <udayendu.kar at gmail.com> wrote:
>>>
>>> Hi there,
>>>
>>> I am using Fedora 19 and configured the bridge when my "NetworkManager" is
>>> enabled. I am configuring the VPN through "NetworkManager", so I have to
>>> keep it on. Here is the configuration from my test system which is working
>>> absolutely fine.
>>>
>>>
>>> ===========
>>> # brctl show
>>> bridge name bridge id STP enabled interfaces
>>> br0 0080.5c260a8373dd no em1
>>> virbr0 8000.5254004f366e yes virbr0-nic
>>>
>>> # cat /etc/sysconfig/network-scripts/ifcfg-em1
>>> # Generated by dracut initrd
>>> DEVICE="em1"
>>> ONBOOT=yes
>>> UUID="61632098-7161-42da-b97f-9e60148f589c"
>>> BOOTPROTO="dhcp"
>>> HWADDR="xx:xx:xx:xx:xx:xx"
>>> TYPE=Ethernet
>>> NAME="em1"
>>> BRIDGE="br0"
>>>
>>> # cat /etc/sysconfig/network-scripts/ifcfg-br0
>>> DEVICE="br0"
>>> BOOTPROTO="dhcp"
>>> TYPE="Bridge"
>>> HWADDR="xx:xx:xx:xx:xx:xx"
>>> MTU=9000
>>> ONBOOT="yes"
>>>
>>>
>>> # systemctl status NetworkManager.service
>>> NetworkManager.service - Network Manager
>>>     Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service;
>>> enabled)
>>>     Active: active (running) since Wed 2013-08-07 10:21:41 IST; 15min ago
>>>   Main PID: 736 (NetworkManager)
>>>     CGroup: name=systemd:/system/NetworkManager.service
>>>             ├─ 736 /usr/sbin/NetworkManager --no-daemon
>>>             └─1165 /sbin/dhclient -d -sf /usr/libexec/nm-dhcp-client.action
>>> -pf /var/run/dhclient-br0.pid -lf
>>> /var/lib/NetworkManager/dhclient-d2d68553-f97e-7549-7a26-b34a26f29318-br0.lease
>>> -cf /var/lib/Ne...
>>>
>>> Aug 07 10:21:56 fedora.virt NetworkManager[736]: <info>   domain search
>>> 'pnq.redhat.com.'
>>> Aug 07 10:21:56 fedora.virt NetworkManager[736]: <info>   domain search
>>> 'redhat.com.'
>>> Aug 07 10:21:56 fedora.virt NetworkManager[736]: <info> Activation (br0)
>>> Stage 5 of 5 (IPv4 Configure Commit) scheduled...
>>> Aug 07 10:21:56 fedora.virt NetworkManager[736]: <info> Activation (br0)
>>> Stage 5 of 5 (IPv4 Commit) started...
>>> Aug 07 10:21:57 fedora.virt NetworkManager[736]: <info> (br0): device
>>> state change: ip-config -> secondaries (reason 'none') [70 90 0]
>>> Aug 07 10:21:57 fedora.virt NetworkManager[736]: <info> Activation (br0)
>>> Stage 5 of 5 (IPv4 Commit) complete.
>>> Aug 07 10:21:57 fedora.virt NetworkManager[736]: <info> (br0): device
>>> state change: secondaries -> activated (reason 'none') [90 100 0]
>>> Aug 07 10:21:57 fedora.virt NetworkManager[736]: <info> Policy set 'Bridge
>>> br0' (br0) as default for IPv4 routing and DNS.
>>> Aug 07 10:21:57 fedora.virt NetworkManager[736]: <info> Activation (br0)
>>> successful, device activated.
>>> ============
>>>
>>> This configuration will help you to configure the bridge interface over
>>> your em1 device while NetworkManager is on and also you can use the
>>> NetworkManager to configure the VPN.
>>>
>>>
>>> Thanks,
>>> Uday !
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Aug 7, 2013 at 4:30 AM, Lonni J Friedman <netllama at gmail.com>
>>> wrote:
>>>>
>>>> Greetings,
>>>> I'm attempting to get several virtual machines setup on a Fedora19
>>>> host system, with the traditional bridge network devices (br0, br1,
>>>> etc).   I've done this many times before with older versions of Fedora
>>>> (16, 14, etc), and it just works.  However, for reasons that I cannot
>>>> figure out, the bridge doesn't seem to be working in Fedora19.  While
>>>> I can successfully connect to the outside world (local network +
>>>> internet) from inside a VM, nothing can communicate with the VM from
>>>> outside (local network).  I'm referring to something as trivial as
>>>> pinging.  From inside the VM, I can ping anything successfully (0%
>>>> packet loss).  However, from outside the VM (on the host, or any other
>>>> system on the same network), I see 100% packet loss when pinging the
>>>> IP address of the VM.
>>>>
>>>> My first question is simply, does anyone else have this working
>>>> successfully in F19?  And if so, what steps did you need to follow?
>>>>
>>>> I'm not using NetworkManager at all, its all the network service.
>>>> There are no firewalls involved anywhere (iptables & firewall services
>>>> are currently disabled).  Here's the current host configuration:
>>>>
>>>>      # brctl show
>>>>      bridge name    bridge id        STP enabled    interfaces
>>>>      br0        8000.38eaa792efe5    no        em2
>>>>                                  vnet1
>>>>      br1        8000.38eaa792efe6    no        em3
>>>>      br2        8000.38eaa792efe7    no        em4
>>>>                                  vnet0
>>>>      virbr0        8000.525400db3ebf    yes        virbr0-nic
>>>>
>>>>      # more /etc/sysconfig/network-scripts/ifcfg-em2
>>>>      TYPE=Ethernet
>>>>      BRIDGE="br0"
>>>>      NAME=em2
>>>>      DEVICE="em2"
>>>>      UUID=aeaa839e-c89c-4d6e-9daa-79b6a1b919bd
>>>>      ONBOOT=yes
>>>>      HWADDR=38:EA:A7:92:EF:E5
>>>>      NM_CONTROLLED="no"
>>>>
>>>>      # more /etc/sysconfig/network-scripts/ifcfg-br0
>>>>      TYPE=Bridge
>>>>      NM_CONTROLLED="no"
>>>>      BOOTPROTO=dhcp
>>>>      NAME=br0
>>>>      DEVICE="br0"
>>>>      ONBOOT=yes
>>>>
>>>>      # ifconfig em2 ;ifconfig br0
>>>>      em2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>>>>              inet6 fe80::3aea:a7ff:fe92:efe5  prefixlen 64  scopeid
>>>> 0x20<link>
>>>>              ether 38:ea:a7:92:ef:e5  txqueuelen 1000  (Ethernet)
>>>>              RX packets 100093  bytes 52354831 (49.9 MiB)
>>>>              RX errors 0  dropped 0  overruns 0  frame 0
>>>>              TX packets 25321  bytes 15791341 (15.0 MiB)
>>>>              TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>>>>              device memory 0xf7d00000-f7e00000
>>>>
>>>>      br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>>>>              inet 10.31.99.226  netmask 255.255.252.0  broadcast
>>>> 10.31.99.255
>>>>              inet6 fe80::3aea:a7ff:fe92:efe5  prefixlen 64  scopeid
>>>> 0x20<link>
>>>>              ether 38:ea:a7:92:ef:e5  txqueuelen 0  (Ethernet)
>>>>              RX packets 19619  bytes 1963328 (1.8 MiB)
>>>>              RX errors 0  dropped 0  overruns 0  frame 0
>>>>              TX packets 11  bytes 1074 (1.0 KiB)
>>>>              TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>>>>
>>>> Relevant section from /etc/libvirt/qemu/foo.xml (one of the VMs with
>>>> this problem):
>>>>
>>>>      <interface type='bridge'>
>>>>            <mac address='52:54:00:26:22:9d'/>
>>>>            <source bridge='br0'/>
>>>>            <model type='virtio'/>
>>>>            <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
>>>> function='0x0'/>
>>>>      </interface>
>>>>
>>>> I can provide additional information, if requested.  thanks!
> _______________________________________________
> virt mailing list
> virt at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/virt
>

More information about the virt mailing list